Reports indicate that threat actors are actively exploiting a critical vulnerability (CVE-2026-3300) affecting the Everest Forms Pro plugin for the WordPress content management system, versions 1.9.12 and earlier. The vulnerability allows attackers to execute malicious code on the server without authentication, enabling threat actors to fully take control of affected websites.
This security issue exists in the plugin’s Complex Calculation feature, which receives values from form fields and processes them using PHP’s eval() function without sufficiently filtering special characters. As a result, attackers can inject PHP commands to create a hidden administrator account with the username diksimarina, granting them the highest level of privileges to modify content, install backdoors, or access private databases. According to Wordfence detection data, exploitation attempts have been observed since April 13, 2026, and increased significantly until reaching a peak on May 16, 2026, when more than 17,000 malicious requests were detected in a single day. The volume later began to decline. In total, security systems blocked more than 29,300 attack attempts, with the main sources identified as the IP addresses 202.56.2.126 and 209.146.60.26.
To reduce the risk and prevent potential impact, website administrators should immediately update the Everest Forms Pro plugin to the latest version in which the vulnerability has been fixed. They should also carefully review system logs and administrator-level user accounts. If any suspicious account is found, especially one named diksimarina, it should be removed, and a broader assessment of the system should be conducted to identify any damage. In addition, administrators should configure security systems or firewalls to block connections from the initially identified malicious IP addresses in order to further strengthen the security of their organization’s websites.