WordPress users beware — experts claim sites are being hijacked using a critical flaw in popular Everest Forms Pro…

Critical RCE flaw in Everest Forms Pro (CVE‑2026‑3300) actively exploited

Attackers create rogue admin account “diksimarina” via PHP injection

Nearly 30,000 takeover attempts blocked; admins urged to patch and block key IPs

Security researchers are warning of an ongoing hacking campaign targeting certain WordPress websites using a popular plugin tool.

Wordfence has claimed Everest Forms Pro, a popular WordPress plugin, was allegedly being used to create contract, registration, payment, and other application forms, carried a critical-severity vulnerability that allowed malicious actors to take over the sites entirely.

The bug was described as a Remote Code Execution (RCE) flaw via PHP code injection. It is tracked as CVE-2026-3300 and was given the severity rating of 9.8/10 (critical). It affects all versions of the plugin up to, and including, 1.9.12.

Patched months ago

Wordfence is now warning that the flaw is being actively abused in the wild to create malicious admin accounts on vulnerable websites:

“The attacker submits a value for a text field that begins with a single quote to close the wrapping string literal, followed by a PHP statement that calls wp_insert_user() to create a new administrator account with the username 'diksimarina’,” Wordfence warned in its report.

“The trailing // comment marker ensures the rest of the generated PHP code, including the closing quote, is treated as a comment and does not cause a syntax error.” “When the form is processed, and the calculation is evaluated, the injected PHP code is executed, and the malicious administrator account is created.”

By creating an admin account, malicious actors can do almost anything with the website, including exfiltrating stored files, redirecting visitors, or even serving malware.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

The bug was first disclosed in February this year, and by mid-March, the Everest Forms developer released a fix. Wordfence says that exploitation attempts started roughly a month later, in mid-April. So far, it thwarted almost 30,000 attempts, most of which came from two IP addresses.

Admins worried about being potential targets should block the two IP addresses 202.56.2[.]126 and 209.146.60.26, and should review log files for the string “diksimarina.”

Via BleepingComputer

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.