Summary
Key Points:
- A critical remote code execution vulnerability (CVE-2026-3300) in the Everest Forms Pro plugin for WordPress allows unauthenticated attackers to execute PHP on affected sites.
- The flaw, scoring 9.8 on the CVSS scale, affects all versions up to 1.9.12 and has been actively exploited since April 13, 2026, with over 29,300 exploit attempts blocked by Wordfence.
- Administrators are urged to update to version 1.9.13 immediately to mitigate risks and should monitor for indicators such as unauthorized administrator accounts named "diksimarina."
Technical Details: The vulnerability arises from the plugin's Calculation add-on using PHP's eval() function without proper sanitization, allowing attackers to inject malicious PHP code through form submissions.
MITRE ATT&CK Techniques:
- T1203 - Exploit Public-Facing Application (Initial Access)
- T1078 - Valid Accounts (Persistence)
IOCs Mentioned:
- Administrator account name: diksimarina
- Email address: diksimarina@gmail.com
- IP address: 202.56.2.126
Join the discussion — sign up to comment, upvote, and save articles.