Everest Forms Pro CVE-2026-3300 exploitation

Summary

CVE-2026-3300 is an unauthenticated remote-code-execution flaw in the Everest Forms Pro WordPress plugin. NVD and Wordfence-referenced reporting describe PHP code injection in the Calculation Addon's process_filter() path in all versions up to and including 1.9.12.

The durable threat-intelligence value is active exploitation against WordPress sites: The Hacker News reported on 2026-06-05 that attackers had been exploiting the flaw since 2026-04-13, with Wordfence blocking more than 29,300 exploit attempts and still seeing attempts in the prior 24 hours.

Why this matters

The vulnerable code path can turn a form submission into arbitrary PHP execution when the form uses the Complex Calculation feature.
Successful exploitation can create WordPress administrator accounts, deploy web shells, and establish longer-lived site persistence.
Everest Forms Pro is a WordPress plugin with roughly 4,000 active installations according to The Hacker News, so the exposure is smaller than core-platform flaws but still high-impact for affected sites.
The patch was released on 2026-03-18, but exploitation telemetry continued into June, making stale commercial-plugin deployments the main risk.

Operational characteristics

Affected product: Everest Forms Pro WordPress plugin.
Affected versions: all versions up to and including 1.9.12, according to NVD and Wordfence-referenced reporting.
Fixed version: 1.9.13, released on 2026-03-18 according to The Hacker News.
Vulnerable path: the Calculation Addon's process_filter() function concatenates user-submitted form field values into a PHP code string before passing it to eval().
Input context: NVD says exploitation is possible through crafted values in string-type form fields such as text, email, URL, select, and radio fields when a form uses the Complex Calculation feature.
Privilege requirement: unauthenticated remote attacker.
Observed activity: The Hacker News cited Wordfence telemetry that exploitation began on 2026-04-13, with more than 29,300 blocked attempts by 2026-06-05.
Common payload reported: creation of a WordPress administrator account named diksimarina using diksimarina@gmail.com.
Observed source IPs reported by The Hacker News / Wordfence: 202.56.2.126, 209.146.60.26, 15.235.166.18, 2402:1f00:8000:800::40db, and 185.78.165.153.

Defender heuristics

Upgrade Everest Forms Pro to 1.9.13 or later; if patching cannot be verified quickly, disable or remove the plugin from internet-facing WordPress sites.
Inventory forms using the Complex Calculation feature and treat exposed vulnerable forms as likely exploit paths.
Hunt for unexpected administrator accounts, especially diksimarina or accounts using diksimarina@gmail.com, and for administrator users created after 2026-04-13.
Review web access logs for requests to Everest Forms / calculation endpoints and requests from the reported IPs, but do not scope only to those indicators.
Inspect plugin/theme files, uploads directories, .htaccess, wp-config.php, scheduled tasks, and recently modified PHP files for web shells and persistence.
After confirmed exploitation, rotate WordPress administrator passwords, application passwords, database credentials, hosting-panel credentials, SMTP/API keys, and any secrets stored in the WordPress configuration or database.
Preserve web logs, WordPress database user tables, file mtimes, and suspicious PHP artifacts before cleanup when incident-response evidence matters.

Sources

The Hacker News: https://thehackernews.com/2026/06/hackers-exploit-critical-everest-forms.html
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-3300
Wordfence vulnerability record: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/everest-forms-pro/everest-forms-pro-1912-unauthenticated-remote-code-execution-via-calculation-field
Wordfence blog: https://www.wordfence.com/blog/2026/06/attackers-actively-exploiting-critical-vulnerability-in-everest-forms-pro-plugin/