Everest Forms Pro Vulnerability Under Active Attack Worldwide

Your WordPress site could be at serious risk right now. Regarding Everest Forms Pro vulnerability, A critical security flaw in the Everest Forms Pro plugin is being actively exploited by hackers to take over websites across the globe. If you’re running this plugin, you need to act immediately.

The vulnerability, officially tracked as CVE-2026-3300, has already been used in over 29,000 attacks. Hackers are using it to create unauthorized administrator accounts, install backdoors, and completely hijack WordPress sites. The worst part? They don’t need any login credentials to do it.

What’s Actually Happening to Vulnerable Sites

This isn’t just a theoretical threat. Since April 13, 2026, security researchers have watched attackers systematically target WordPress sites running vulnerable versions of Everest Forms Pro. The plugin’s “Complex Calculation” feature contains a dangerous flaw that lets attackers run their own code on your server.

The technical problem lies in how the plugin handles user input. It takes data from form fields and runs it through PHP code without properly checking what’s being submitted. Attackers exploit this by submitting specially crafted form data that includes malicious code.

According to Wordfence, attackers are primarily creating rogue administrator accounts using the username “diksimarina” and email “diksimarina@gmail.com.” Once they have admin access, they can do anything they want with your site. Additionally, many attackers are installing web shells, which are hidden files that let them control your site remotely even after you discover the breach.

Who’s Behind These Attacks

Security researchers believe opportunistic cybercriminals are driving this campaign rather than sophisticated hacking groups. They’re using automated tools to scan thousands of WordPress sites looking for vulnerable installations. When they find one, their scripts automatically attempt to exploit it.

The attacks are coming from multiple IP addresses, including 202.56.2.126, 209.146.60.26, and 15.235.166.18. These addresses have been linked to previous malicious campaigns and likely represent a botnet or exploitation service. The attackers aren’t targeting specific industries or regions. They’re going after every vulnerable site they can find.

Their goal appears to be financial. Once they control your site, they can sell that access to other criminals, deploy ransomware, or use your server to host phishing pages and malware distribution.

Which Sites Are at Risk

Any WordPress site running Everest Forms Pro version 1.9.12 or earlier is vulnerable. The flaw affects all previous versions of the plugin without exception. If you’re using the “Complex Calculation” feature in any of your forms, your risk is even higher.

However, attackers don’t necessarily know which features you’re using before they attack. They’re systematically testing vulnerable sites regardless of configuration. Small businesses, e-commerce stores, educational institutions, and nonprofits have all been affected.

The vulnerability received a severity score of 9.8 out of 10, which is about as serious as it gets. This rating reflects the fact that attackers need zero credentials and zero user interaction to compromise your site completely.

What You Need to Do Right Now

First and most important: update Everest Forms Pro to version 1.9.13 immediately. This version patches the vulnerability and closes the door to attackers. Don’t wait until next week or after the weekend. Do it today.

If you can’t update right away for some reason, disable the “Complex Calculation” feature on all your forms. This removes the attack vector while you prepare for the full update. Additionally, consider restricting form access to logged-in users only if that makes sense for your business.

Next, check your site for signs of compromise. Look for administrator accounts you don’t recognize, especially any using the username “diksimarina.” Review your WordPress users page carefully and delete any suspicious accounts immediately.

Checking for Web Shells and Backdoors

Attackers often install web shells in your uploads directory or other writable folders. These are typically PHP files with random or innocent-sounding names. If you see unexpected PHP files in /wp-content/uploads/ or similar directories, investigate them carefully.

Your web server logs can reveal attempted exploits. Look for form submissions that contain unusual characters like single quotes, semicolons, or PHP function names like “eval,” “exec,” or “system.” These are strong indicators of exploitation attempts.

If you find evidence of compromise, take immediate action. Change all administrator passwords, remove unauthorized accounts, delete any suspicious files, and consider restoring from a clean backup taken before April 13, 2026.

Adding Extra Protection Layers

Beyond updating the plugin, consider deploying a web application firewall (WAF). Quality security plugins can block form submissions that contain PHP code injection patterns. They act as a safety net even if new vulnerabilities emerge.

File integrity monitoring is another valuable tool. These systems alert you when files change unexpectedly, which can help you detect web shells and other malicious modifications quickly. Therefore, you’ll know about problems before they escalate.

Network monitoring can also help you spot compromised sites. If your server starts making unexpected outbound connections to suspicious IP addresses, that’s a red flag worth investigating.

Why This Vulnerability Is So Dangerous

The Everest Forms Pro vulnerability stands out because of how easy it is to exploit. Attackers don’t need to trick users into clicking links or downloading files. They simply submit a malicious form and instantly gain control of your site.

The vulnerability stems from the plugin’s use of the eval() function, which executes arbitrary code. When combined with insufficient input sanitization, this creates a perfect storm for remote code execution. The sanitize_text_field() function the plugin uses doesn’t catch characters that have special meaning in PHP code.

Consequently, attackers can inject PHP commands through form fields that seem completely normal, like text boxes, email fields, or dropdown menus. Your site processes these commands and hands control over to the attacker.

The Broader Implications for Your Business

A compromised WordPress site isn’t just an IT problem. It’s a business crisis that can damage your reputation, expose customer data, and potentially violate privacy regulations. If attackers access customer information through your site, you could face legal liability and regulatory penalties.

Search engines like Google may blacklist compromised sites, tanking your search rankings overnight. Rebuilding that trust takes months or even years. Meanwhile, customers who encounter malware or phishing pages on your site will lose confidence in your brand.

This is why treating security updates as urgent business priorities makes sense. The few minutes required to update a plugin pale in comparison to the days or weeks of recovery work following a successful attack.

Moving Forward: Prevention and Monitoring

Once you’ve addressed this immediate threat, establish ongoing security practices. Keep all plugins, themes, and WordPress core updated consistently. Enable automatic updates where possible to reduce your exposure window when new vulnerabilities emerge.

Regular security audits help identify problems before attackers do. Review your installed plugins quarterly and remove any you’re not actively using. Each plugin represents a potential attack surface.

Consider working with a WordPress security specialist or managed hosting provider that includes security monitoring in their service. They can watch for emerging threats and apply patches quickly, often before you even hear about the vulnerability. This proactive approach significantly reduces your risk of compromise.

Security isn’t a one-time checkbox. It’s an ongoing process that requires attention and resources. However, the investment in proper security measures costs far less than recovering from a successful attack.

Original Source: www.rescana.com