Security experts are sounding the alarm about an active cyberattack campaign targeting WordPress websites. A critical vulnerability within the popular Everest Forms Pro plugin is reportedly being exploited, allowing attackers to gain complete control of affected sites.
Severe Vulnerability Puts WordPress Sites at Risk
The flaw, identified as CVE-2026-3300, is a Remote Code Execution (RCE) vulnerability that enables attackers to inject PHP code into vulnerable websites. This allows them to create rogue administrator accounts, effectively hijacking the entire site. The vulnerability has been assigned a critical severity rating of 9.8 out of 10.
The exploit works by submitting a specially crafted value to a text field within the form. This input is designed to close the existing string literal and then execute a PHP statement that calls the `wp_insert_user()` function. This function is used to create a new administrator account, with recent attacks creating an account named “diksimarina”. A trailing comment marker is used to ensure the injected code is executed without causing syntax errors.
Impact of Account Takeover
Gaining administrator privileges on a WordPress site grants attackers extensive capabilities. They can potentially steal sensitive files, redirect website visitors to malicious destinations, or distribute malware. This poses a significant threat to website owners and their users.
Exploitation and Patching Timeline
The vulnerability was initially disclosed in February of this year. Developers released a patch for Everest Forms Pro by mid-March. However, exploitation attempts reportedly began around mid-April, approximately a month after the fix became available.
Analysis indicates that nearly 30,000 attempted attacks have been thwarted. A significant portion of these attempts have been traced back to two specific IP addresses: 202.56.2[.]126 and 209.146.60.26.
Recommendations for Site Administrators
Website administrators who use Everest Forms Pro are strongly advised to update their plugin to the latest version immediately to patch this critical vulnerability. To further enhance security, it is recommended to block the identified malicious IP addresses at the server level. Additionally, site owners should review their website’s log files for any occurrences of the username “diksimarina” to detect potential compromises.
