Attackers are actively exploiting a critical unauthenticated remote code execution vulnerability in Everest Forms Pro, a premium WordPress form builder plugin used on hundreds of thousands of sites. The flaw enables any visitor to execute arbitrary PHP code on the server without authentication by abusing the plugin's Complex Calculation feature — a functionality that passes user-supplied input directly to PHP's eval() function. Wordfence has blocked over 29,300 exploit attempts as of June 2026.

The attack is highly automatable and leaves a distinctive forensic marker: a rogue WordPress administrator account with the username diksimarina. If you find this account on your site, your server is compromised and incident response is required immediately.

CVE Reference

  • CVE: CVE-2026-3300
  • CVSS Score: 9.8 (Critical)
  • Affected versions: Everest Forms Pro 1.9.12 and earlier
  • Patched version: 1.9.13 (released March 18, 2026)
  • Attack vector: Network, unauthenticated, no user interaction
  • Active Exploitation: YES — active since April 13, 2026; 29,300+ blocked attempts

What the Vulnerability Is

Everest Forms Pro includes a Complex Calculation feature that lets form designers create fields whose values are computed dynamically. Internally, the plugin takes user-submitted form field values, assembles them into a PHP code string, and then executes that string using PHP's eval() function.

A sanitization function (sanitize_text_field()) is applied to inputs before they reach eval(). However, sanitize_text_field() is designed for general text cleaning — it does not escape single quotes (') or other characters that control PHP syntax. This creates a trivially exploitable injection path: an attacker submits a PHP payload that uses single-quote delimited strings to break out of the surrounding PHP expression and execute arbitrary code.

The root cause is a fundamental architectural error: user-controlled input must never reach eval() without full sandboxing, regardless of what sanitization has been applied. There is no sanitizer that makes eval(user_input) safe.

How the Attack Works

Step 1: Identify a site running Everest Forms Pro ≤ 1.9.12 with at least one form using the Complex Calculation field type.

Step 2: Submit a form with a crafted payload in the calculation field. A minimal example:

'); system('whoami'); //

The plugin assembles this into a PHP eval context. The single quote closes the string literal; system() executes an OS-level command; // comments out the remainder of the generated code.

Step 3: The PHP process executes the injected code with web server privileges — full file read/write access, outbound network connections, OS command execution.

Observed real-world payloads collected by Wordfence show attackers consistently creating a rogue WordPress administrator account with the username "diksimarina" (email: diksimarina@gmail.com). This persistent backdoor account survives plugin updates and gives attackers continued access even after the original vulnerability is patched.

The full attack chain observed in the wild:

  1. Exploit CVE-2026-3300 to execute PHP via the form submission endpoint
  2. Create rogue admin account ("diksimarina")
  3. Install web shell or malicious plugin via the admin panel
  4. Establish persistent foothold on the server
  5. Exfiltrate data or deploy ransomware/spam infrastructure

Active Exploitation Timeline

The vulnerability was patched on March 18, 2026. Exploitation began on April 13, 2026 — approximately three and a half weeks after the patch was released, following a common pattern in which attackers analyze patch diffs to reverse-engineer the vulnerability before many sites have updated. As of June 2026, Wordfence has blocked over 29,300 exploit attempts, with daily attack volume continuing at significant levels. The consistent appearance of the "diksimarina" account across thousands of sites indicates a single coordinated, automated campaign rather than opportunistic individual attacks.

Impact: Who Is at Risk

Any WordPress site running Everest Forms Pro 1.9.12 or earlier with at least one form that uses the Complex Calculation feature is vulnerable to full server compromise. Successful exploitation enables:

  • Arbitrary PHP and OS command execution — read files, write files, execute binaries on the server
  • WordPress admin account creation — persistent backdoor access that survives the plugin being updated or removed
  • Web shell installation — long-term server access that survives reboots and updates
  • Database exfiltration — all WordPress data including user credentials, customer PII, payment data
  • Site defacement, ransomware deployment, SEO spam injection

Premium WooCommerce stores using Everest Forms Pro are particularly high-value targets due to the volume of customer and payment data stored in the database.

Remediation

Immediate actions:

  1. Update Everest Forms Pro to version 1.9.13 or later immediately — this patches the vulnerability
  2. Check for the "diksimarina" rogue admin account — go to Users → All Users, search for this username. If found, your site is compromised; proceed with full incident response rather than just patching
  3. Audit all administrator accounts added since March 2026 for accounts you did not create
  4. Perform a file integrity scan to identify web shells or malicious plugin files — Wordfence's malware scanner or WP Cerber are both appropriate
  5. Review server access logs for POST requests to form submission endpoints carrying single-quote payloads
  6. Rotate all WordPress admin passwords and database credentials
  7. If the rogue admin account is found, restore from a clean pre-exploitation backup — the server may contain persistent backdoors that a simple malware scan will not catch

Architectural note for developers: The eval() function should never be used with any user-controlled input in production PHP code. The Complex Calculation feature should be redesigned to use a sandboxed expression parser — a math expression evaluator library — rather than PHP code execution.

Sources