Hackers are actively exploiting a important vulnerability (CVE-2026-3300) within the Everest Varieties Professional plugin to realize full management over your WordPress web site.
This safety difficulty impacts plugin variations 1.9.12 and earlier and might be exploited to execute arbitrary code on the server with out authentication.
Everest Varieties Professional is a business add-on for the WordPress type builder plugin Everest Varieties. Used to create contact, registration, cost, and different customized software varieties.
The CVE-2026-3300 vulnerability lies within the plugin’s advanced calculation perform, which accepts a worth submitted via a type discipline and inserts it right into a PHP code string. Then use PHP’s “eval()” perform to execute the ensuing code.
Consumer enter is handed via the “sanitize_text_field()” perform, however single quotes (‘) and different characters that have an effect on PHP syntax aren’t escaped.
Consequently, an attacker can shut the supposed string, inject arbitrary PHP code, remark out the remaining generated code, and execute code on the server.
Telemetry knowledge from the Wordfence firewall and WordPress malware scanner reveals that this vulnerability is being exploited to create fraudulent administrator accounts.
Wordfence’s report explains, “The attacker sends the worth of a textual content discipline beginning with a closing single quote wrapped string literal, adopted by a PHP assertion that calls wp_insert_user() to create a brand new administrator account with the username ‘diksimarina’.”
“The trailing // remark marker causes the remainder of the generated PHP code (together with the closing quote) to be handled as a remark and keep away from syntax errors.”
“As soon as the shape is processed and the calculations are evaluated, the injected PHP code is executed and a malicious administrator account is created.”
Admin-level entry offers attackers full privileges to carry out dangerous actions on a compromised web site, together with modifying content material, putting in plugins and themes, putting in backdoors or net shells, and accessing non-public databases.
Researcher h0xilo reported the CVE-2026-3300 vulnerability via Wordfence in February, and on March 18th, Everest Varieties builders launched a patch to deal with the difficulty.
In response to knowledge from Wordfence, the lively exploit started on April 13, and the firewall blocked greater than 29,300 makes an attempt.
Supply: Wordfence
Wordfence says the exploit makes an attempt primarily originate from two IP addresses: 202.56.2(.)126 and 209.146.60.26, and recommends that defenders block them.
Nonetheless, Wordfence’s report reveals a number of offensive IP addresses as indicators of compromise (IOCs).
Web site directors are additionally inspired to evaluation log information and administrator accounts for suspicious exercise, particularly these containing the string “diksimarina.”
Safety groups doc 54% of profitable assaults and difficulty a warning on solely 14%. The remainder strikes invisibly via the atmosphere.
Picus’ whitepaper reveals methods to check your SIEM and EDR guidelines in breach and assault simulations to make sure threats go undetected.
Get the white paper
