CVE-2026-3300: Critical WordPress Exploit Lets Hackers Hijack 4,000+ Sites
Table of Contents
Hackers are actively exploiting a critical vulnerability in the Everest Forms Pro WordPress plugin that lets them take complete control of any affected website. CVE-2026-3300 has a CVSS score of 9.8 out of 10, and Wordfence has already blocked over 29,300 attack attempts. If you run WordPress with this plugin, you need to patch immediately.
Here is everything about CVE-2026-3300 — how it works, who is attacking, and exactly what you need to do right now.
What Is CVE-2026-3300?
CVE-2026-3300 is a Remote Code Execution (RCE) vulnerability affecting all versions of the Everest Forms Pro plugin up to and including version 1.9.12. The vulnerability has a CVSS score of 9.8 — critical severity. It allows unauthenticated attackers to execute arbitrary PHP code on the server without needing any login credentials.
Everest Forms Pro is a popular WordPress form builder with over 4,000 active installations. While that number may seem small compared to mega-plugins like Contact Form 7, many Everest Forms Pro users are business websites handling customer data, payment information, and sensitive form submissions — making this vulnerability particularly damaging.
How the Exploit Works
The vulnerability exists in the Calculation Addon’s process_filter() function. Here is the technical breakdown:
The function concatenates user-submitted form field values into a PHP code string without proper escaping, then passes that string directly to eval(). The sanitize_text_field() function applied to input does not escape single quotes or other PHP code context characters. This means an attacker can inject arbitrary PHP code through a form submission that gets executed on the server.
In simpler terms: an attacker fills out a form on your website, includes malicious PHP code in one of the fields, and the plugin runs that code with full server privileges. No authentication required. No complex exploit chain. Just a form submission.
This is about as bad as WordPress vulnerabilities get. The attack surface is enormous — any page with an Everest Forms Pro form becomes an entry point for complete server compromise. Previous WordPress plugin exploits like cPanel CVE-2026-41940 required more sophisticated attack chains. CVE-2026-3300 is trivially exploitable.
Active Exploitation: 29,300+ Attacks Blocked
According to Wordfence data, active exploitation of CVE-2026-3300 started on April 13, 2026 — nearly a month after the patch was released on March 18. The Wordfence firewall has blocked over 29,300 exploitation attempts as of June 2026.
The attack volume suggests multiple threat actor groups are exploiting this vulnerability. The gap between patch release (March 18) and active exploitation (April 13) gave defenders a 26-day window to update. Many did not. The sites still running version 1.9.12 or earlier are now being actively targeted.
The diksimarina Attacker Campaign
The most common payload observed in the wild involves creating a rogue administrator account named “diksimarina” with the email address diksimarina@gmail.com. Once the attacker has admin access, they can install backdoors, modify content, steal data, or use the server for further attacks.
If you find a user named “diksimarina” in your WordPress admin panel, your site has been compromised. You should immediately take the site offline, restore from a clean backup, update all plugins, change all passwords, and audit your database for additional backdoors. Check our cybersecurity guides for incident response procedures.
How to Check If You’re Affected
Run through this checklist immediately:
- Check your plugin version: Go to Plugins → Installed Plugins in WordPress admin. If Everest Forms Pro shows version 1.9.12 or earlier, you are vulnerable.
- Check for rogue admin accounts: Go to Users → All Users → Filter by Administrator role. Look for any accounts you did not create, especially “diksimarina.”
- Check for unknown files: Look for recently modified PHP files in your wp-content directory. Backdoors often appear as files with random names in /wp-content/uploads/ or /wp-content/plugins/.
- Check your server logs: Search for POST requests to pages containing Everest Forms with unusual payloads, particularly containing PHP function calls like eval, system, exec, or base64_decode.
Patch Now: Update to Version 1.9.13
The fix is straightforward: update Everest Forms Pro to version 1.9.13 or later. The patch was released on March 18, 2026, and properly sanitizes the Calculation Addon input to prevent code injection.
If you cannot update immediately, deactivate the Everest Forms Pro plugin until you can. A form builder being offline is vastly better than a compromised server. Additionally, using a Web Application Firewall (WAF) like Wordfence or Sucuri can block exploitation attempts even on unpatched versions.
Why WordPress Plugins Keep Getting Hacked
CVE-2026-3300 follows a depressingly familiar pattern in WordPress security. A plugin uses PHP’s eval() function on user input with insufficient sanitization. The vulnerability sits undetected until a researcher finds it. A patch is released. Thousands of sites fail to update. Attackers reverse-engineer the patch to build exploits. Mass exploitation follows.
WordPress powers over 40% of the web. Its plugin ecosystem is simultaneously its greatest strength and its biggest security liability. Every plugin is a potential attack surface, and many plugin developers — especially for smaller premium plugins like Everest Forms Pro — do not have dedicated security teams reviewing their code.
The takeaway for web developers: audit your plugins regularly, enable automatic updates where possible, use a WAF, and never assume a paid plugin is secure. CVE-2026-3300 proves that even paid, commercial plugins can have trivially exploitable critical vulnerabilities.
