GoKawiilHackers are actively exploiting a critical vulnerability (CVE-2026-3300) in the Everest Forms Pro plugin, which lets them take complete control of a WordPress website.
The security issue affects versions 1.9.12 and earlier of the plugin and can be leveraged without authentication to execute arbitrary code on the server.
Everest Forms Pro is a commercial add-on for the WordPress form builder plugin Everest Forms. It is used to create contact, registration, payment, and other custom application forms.
The CVE-2026-3300 vulnerability is in the plugin’s Complex Calculation feature, which accepts values submitted through form fields and inserts them into a PHP code string. Then, it executes the resulting code using PHP’s ‘eval ()’ function.
Although user input is passed through a ‘sanitize_text_field()’ function, which does not escape single quotes (') or other characters that influence PHP syntax.
As a result, an attacker can close the intended string, inject arbitrary PHP code, and comment out the remaining generated code to achieve code execution on the server.
Telemetry data from Wordfence firewall and malware scanner for WordPress shows that the vulnerability is being exploited in the wild to create rogue administrator accounts.
“The attacker submits a value for a text field that begins with a single quote to close the wrapping string literal, followed by a PHP statement that calls wp_insert_user() to create a new administrator account with the username 'diksimarina’,” explains a report from Wordfence.
“The trailing // comment marker ensures the rest of the generated PHP code, including the closing quote, is treated as a comment and does not cause a syntax error.”
“When the form is processed, and the calculation is evaluated, the injected PHP code is executed, and the malicious administrator account is created.”
... continue reading