Hackers are actively exploiting a important vulnerability (CVE-2026-3300) within the Everest Varieties Professional plugin, which lets them take full management of a WordPress web site.
The safety difficulty impacts variations 1.9.12 and earlier of the plugin and might be leveraged with out authentication to execute arbitrary code on the server.
Everest Varieties Professional is a business add-on for the WordPress type builder plugin Everest Varieties. It’s used to create contact, registration, fee, and different customized utility kinds.
The CVE-2026-3300 vulnerability is within the plugin’s Advanced Calculation function, which accepts values submitted by type fields and inserts them right into a PHP code string. Then, it executes the ensuing code utilizing PHP’s ‘eval ()’ perform.
Though consumer enter is handed by a ‘sanitize_text_field()’ perform, which doesn’t escape single quotes (‘) or different characters that affect PHP syntax.
Consequently, an attacker can shut the meant string, inject arbitrary PHP code, and remark out the remaining generated code to attain code execution on the server.
Telemetry information from Wordfence firewall and malware scanner for WordPress exhibits that the vulnerability is being exploited within the wild to create rogue administrator accounts.
“The attacker submits a worth for a textual content discipline that begins with a single quote to shut the wrapping string literal, adopted by a PHP assertion that calls wp_insert_user() to create a brand new administrator account with the username ‘diksimarina’,” explains a report from Wordfence.
“The trailing // remark marker ensures the remainder of the generated PHP code, together with the closing quote, is handled as a remark and doesn’t trigger a syntax error.”
“When the shape is processed, and the calculation is evaluated, the injected PHP code is executed, and the malicious administrator account is created.”
Administrator-level entry provides attackers full energy to carry out high-risk actions on the breached web site, together with modifying content material, putting in plugins and themes, planting backdoors and webshells, and accessing personal databases.
Researcher h0xilo submitted the CVE-2026-3300 vulnerability by Wordfence in February, and on March 18, the Everest Varieties developer launched a patch that addresses the difficulty.
Based on Wordfence information, lively exploitation began on April 13, with the firewall blocking over 29,300 makes an attempt.
Supply: Wordfence
Wordfence says exploitation makes an attempt originate primarily from two IP addresses, 202.56.2[.]126 and 209.146.60.26, and recommends defenders block them.
Nonetheless, Wordfence’s report offers a number of offending IP addresses as indicators of compromise (IOCs).
Web site directors are additionally really helpful to assessment log information and administrator accounts for any suspicious exercise, particularly containing the string “diksimarina.”
Safety groups log 54% of profitable assaults and alert on simply 14%. The remaining transfer by your setting unseen.
The Picus whitepaper exhibits how breach and assault simulation checks your SIEM and EDR guidelines so threats cease slipping by detection.
