Attackers are exploiting a flaw in Everest Forms Pro for WordPress to execute PHP code and create rogue administrator accounts, Wordfence said.
The vulnerability, tracked as CVE-2026-3300, carries a CVSS score of 9.8 and affects Everest Forms Pro versions up to and including 1.9.12. Wordfence said WPEverest patched the bug in version 1.9.13 on March 18, 2026.
Wordfence said the remote code execution bug sits in the plugin’s Complex Calculation feature. The Calculation Addon’s process_filter() function placed user-submitted field values into a PHP code string without proper escaping before sending it to eval().
That flaw allows unauthenticated attackers to submit crafted values via string-type form fields when a site uses Complex Calculation. Successful exploitation can allow arbitrary PHP execution on the server, according to Wordfence.
Read: Anthropic Launches Project Glasswing to Fight AI Cyber Threats
Wordfence said attackers have used the bug to create administrator accounts, deploy web shells and deepen access inside compromised WordPress environments. The company said it observed active exploitation starting April 13, 2026.
The most common payload tries to create an administrator account named “diksimarina” using the email address “diksimarina@gmail.com,” according to the source material and Wordfence data. Site owners should remove any unauthorised accounts and inspect logs for suspicious requests.
WPEverest users should update Everest Forms Pro to version 1.9.13 or later. Administrators should also review plugin files, check recent file changes and look for web shells after patching.
