Everest Forms Pro users should treat CVE-2026-3300 as an active WordPress site-takeover risk, not just an old changelog item. Security reporting on June 5, 2026 says attackers are exploiting the flaw in the wild, after the vulnerability had already been patched in the plugin’s 1.9.13 line earlier this year.[1]
The issue is a critical remote code execution bug in Everest Forms Pro, the paid form-builder plugin used on roughly 4,000 WordPress sites, according to the latest public coverage.[1] NVD describes the bug as PHP code injection in the Calculation Addon’s Complex Calculation handling: vulnerable versions build a PHP expression from submitted form values without escaping them safely before evaluation.[2]
That matters because exploitation does not require a WordPress account. A crafted submission to a form using the affected calculation path can let an unauthenticated attacker run arbitrary PHP code on the server. The practical result can be a rogue administrator account, a web shell, or other persistence that survives after the first request.[1]
The affected range is Everest Forms Pro 1.9.12 and earlier. NVD rates CVE-2026-3300 as CVSS 9.8 critical, with network attack vector, no privileges, and no user interaction required.[2] The vendor changelog lists version 1.9.13 with a security fix, followed by later 1.9.14 and 1.9.15 releases, so site owners should not stop at checking only whether a patch notice once appeared in wp-admin.[4]
What site owners should check now
Start with the boring but decisive step: confirm the installed Everest Forms Pro version. If it is 1.9.12 or older, update immediately to a current fixed release. If the plugin is no longer needed, remove it rather than leaving a disabled-but-still-present risk surface around future maintenance mistakes.
The most exposed sites are those that use the Pro plugin’s calculation features on public forms. Still, the safer response is to audit every site where Everest Forms Pro is installed, because form configuration often changes over time and the vulnerable path is tied to submitted field values rather than a privileged admin workflow.[2]
After updating, check for signs that exploitation already happened. Review recently created WordPress administrator accounts, especially unfamiliar accounts or names matching public attack reporting such as diksimarina.[1] Check file modification times under the WordPress root, recently changed plugin/theme PHP files, unknown files in writable upload paths, and server logs around form submission endpoints since April 13, 2026, the date attackers were reported to have begun exploiting the flaw.[1]
If a suspicious admin account, web shell, or unexplained PHP file is found, treat the site as compromised. Remove persistence, rotate WordPress admin passwords, rotate hosting and database credentials where exposure is plausible, and restore from a clean backup only after the vulnerable plugin version is gone.
This follows the same pattern seen in other WordPress plugin incidents: one unauthenticated bug can turn into full site control if attackers can create an admin or write server-side files. For similar response context, see the recent Kirki admin-takeover exploitation, the WP Maps Pro account-takeover campaign, and the earlier Essential Addons for Elementor vulnerability.
References
- The Hacker News, “Hackers Exploit Critical Everest Forms Pro WordPress Plugin Flaw to Take Over Sites,” June 5, 2026. https://thehackernews.com/2026/06/hackers-exploit-critical-everest-forms.html
- NVD, “CVE-2026-3300 Detail.” https://nvd.nist.gov/vuln/detail/CVE-2026-3300
- Wordfence Intelligence, “Everest Forms Pro: Unauthenticated Remote Code Execution via PHP Code Injection.” https://www.wordfence.com/threat-intel/vulnerabilities/id/389c0b89-e408-4ad5-9723-a16b745771f0?source=cve
- Everest Forms, “Changelog.” https://everestforms.net/changelog/
Leave a Comment