- Actively Exploited Critical RCE Vulnerability in Everest Forms Pro (CVE-2026-3300).
- Attackers create rogue admin account “diksimarina” via PHP injection
- Almost 30,000 takeover attempts blocked; administrators are encouraged to patch and block key IPs
Security researchers are warning of an ongoing hacking campaign targeting certain WordPress sites using a popular plugin tool.
Wordfence has claimed that Everest Forms Pro, a popular WordPress plugin allegedly used to create contract, registration, payment and other application forms, had a Critical Severity vulnerability that allowed malicious actors to completely take over websites.
The error was described as a Remote Code Execution (RCE) error via PHP code injection. It is tracked as CVE-2026-3300 and given a severity rating of 9.8/10 (Critical). It affects all versions of the plugin up to and including 1.9.12.
Saved months ago
Wordfence now warns that the flaw is being actively exploited in the wild to create malicious admin accounts on vulnerable websites:
“The attacker submits a value for a text field that begins with a single quote to close the wrapper string literal, followed by a PHP statement that calls wp_insert_user() to create a new admin account with the username ‘diksimarina’,” Wordfence warned in its report.
“The trailing // comment marker ensures that the rest of the generated PHP code, including the closing quote, is treated as a comment and does not cause a syntax error.” “Once the form is processed and the calculation is evaluated, the injected PHP code is executed and the malicious administrator account is created.”
By creating an administrator account, malicious actors can do almost anything with the site, including exfiltrating stored files, redirecting visitors, or even serving malware.
The bug was first revealed in February of this year, and in mid-March the Everest Forms developer released a fix. Wordfence says exploit attempts started about a month later, in mid-April. So far, it has thwarted nearly 30,000 attempts, most of which came from two IP addresses.
Administrators concerned about being potential targets should block the two IP addresses 202.56.2[.]126 and 209.146.60.26, and should review logs for the string “diksimarina.”
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
