Active Exploitation of Everest Forms Pro RCE Creates Rogue WordPress Admins
Attackers are actively exploiting CVE-2026-3300, a critical unauthenticated remote code execution flaw in the Everest Forms Pro WordPress plugin, to fully compromise vulnerable sites. The bug affects versions through 1.9.12 and was fixed in 1.9.13. It stems from the plugin’s Complex Calculation feature, where user-controlled input in process_filter() is concatenated into PHP code and executed with eval(), allowing arbitrary PHP injection through crafted form submissions, often via the /wp-admin/admin-ajax.php endpoint.
Wordfence reported exploitation beginning on April 13 and escalating into mass attacks, with more than 29,300 exploit attempts blocked overall and over 17,900 on May 16 alone. A recurring payload creates a rogue administrator account named diksimarina, giving attackers persistent access to upload webshells, install backdoors, alter site content, and potentially pivot deeper into the hosting environment. Defenders are being urged to upgrade immediately to 1.9.13 or later, audit WordPress administrator accounts for unauthorized users, and review logs for suspicious requests and known malicious IP activity.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Mass exploitation spike hits Everest Forms Pro targets
Telemetry showed a major surge in exploitation on May 16, 2026, with more than 17,900 exploit requests blocked that day alone. Reports said attackers were often using payloads to create a WordPress administrator account named "diksimarina."
Attackers begin exploiting Everest Forms Pro flaw
Wordfence observed exploitation activity targeting CVE-2026-3300 beginning on April 13, 2026. The attacks targeted unpatched WordPress sites and commonly attempted to create rogue administrator accounts for persistence.
CVE-2026-3300 publicly disclosed
The Everest Forms Pro remote code execution vulnerability was publicly disclosed after the patch release. Reporting described the flaw as critical, with a CVSS score of 9.8, and tied it to improper input handling in the plugin's calculation functionality.
Everest Forms Pro patch released for CVE-2026-3300
A fix for the critical unauthenticated remote code execution flaw CVE-2026-3300 in Everest Forms Pro was released in version 1.9.13. The vulnerability affected versions up to 1.9.12 and involved unsafe use of eval() in the Complex Calculation feature.
Sansec reports GorgonAgora fake storefront skimming campaign
Sansec described the GorgonAgora operation as active since August 2025, using 5,714 fake .shop storefronts impersonating major brands to steal payment card data. The campaign reportedly used a fake Stripe iframe and infrastructure tied to a server in Moldova to relay 3D Secure challenges and evade detection.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
CVE-2026-3300 - Everest Forms Pro <= 1.9.12 - Unauthenticated RCE via Calculation Formula Injection by DhiyaneshGeek · Pull Request #16358 · projectdiscovery/nuclei-templates · GitHub
github.com
Open sourceEverest Forms Pro WordPress Flaw is Handing Attackers Admin Access
securityaffairs.com
Open sourceHackers exploit critical Everest Forms Pro vulnerability for website control | brief | SC Media
scworld.com
Open sourceCritical Everest Forms Pro flaw exploited to take over WordPress sites
bleepingcomputer.com
Open sourceHackers Exploit Critical Everest Forms Pro WordPress Plugin Flaw to Take Over Sites
thehackernews.com
Open sourceHackers Actively Exploiting WordPress Plugin Vulnerability to Inject PHP code
cybersecuritynews.com
Open sourceEverest Forms Pro Flaw Faces Active WordPress Exploitation
securityonline.info
Open sourceAttackers Actively Exploiting Critical Vulnerability in Everest Forms Pro Plugin - Malware News - Malware Analysis, News and Indicators
malware.news
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Exploitation of CVE-2026-1492 in WordPress User Registration & Membership Plugin Enables Admin Account Creation
Active exploitation has been reported against **CVE-2026-1492** in the *User Registration & Membership* WordPress plugin (WPEverest), allowing **unauthenticated privilege escalation** by submitting a user-controlled role value during membership registration. The flaw affects versions **through 5.1.2** and enables attackers to create **administrator** accounts, which can then be used to install plugins/themes, modify PHP code and security settings, exfiltrate site/user data, and potentially implant malware or backdoors. Wordfence/Defiant telemetry cited in reporting indicates exploitation attempts were observed and blocked at scale in customer environments. A fix was released in **5.1.3** (with **5.1.4** available), and the recommended mitigation is to **update immediately** or temporarily disable/uninstall the plugin if patching is not possible. Other WordPress plugin CVEs in the provided material—**CVE-2026-1321** (*Restrict Content* unauth privilege escalation via `rcp_level`), **CVE-2026-1720** (*WowOptin* missing authorization enabling Subscriber+ arbitrary plugin installation), and **CVE-2026-2628** (*All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login* authentication bypass)—are separate issues and should be tracked independently, as they do not describe the same exploited vulnerability affecting *User Registration & Membership* (CVE-2026-1492).
Apr 13, 2026
Active Exploitation of Ninja Forms File Uploads Flaw Enables WordPress RCE
Attackers are actively exploiting **CVE-2026-0740**, a critical unauthenticated arbitrary file upload flaw in the **Ninja Forms File Uploads** premium add-on for WordPress that can lead to **remote code execution** and full site compromise. The vulnerability affects versions through `3.3.26` and stems from improper validation of file types and extensions in destination filenames, combined with missing filename sanitization that allows path traversal and placement of malicious PHP files in the webroot or other sensitive directories. Wordfence said it blocked more than **3,600** exploitation attempts in a 24-hour period and warned that attackers could use the bug to deploy web shells and take over vulnerable sites. Researcher **Sélim Lanouar** discovered the issue through Wordfence’s bug bounty program, and the vendor released a full fix in version `3.3.27` after an earlier partial remediation. Organizations using the add-on, which is deployed across more than **90,000** customer environments, have been urged to upgrade immediately.
Apr 8, 2026
Active Exploitation of UpdraftPlus Auth Bypass Enables WordPress Site Takeover
A critical authentication bypass in the **UpdraftPlus: WP Backup & Migration** WordPress plugin, tracked as `CVE-2026-10795`, is being actively exploited against sites running versions up to and including `1.26.4`. The flaw affects a plugin installed on more than three million WordPress sites and stems from insufficient validation in UpdraftCentral remote procedure call handling, including signature-verification weaknesses and unchecked decryption return values that can collapse to a predictable all-zero key. Wordfence reported blocking **4,987** exploitation attempts in a 24-hour period. Successful exploitation lets unauthenticated attackers impersonate the connected administrator and issue arbitrary RPC actions, including uploading and auto-activating a malicious plugin for **remote code execution** and full site compromise. The vulnerability has been classified under `CWE-347`, with a `CVSS v3.1` vector of `AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`. The issue was reportedly discovered by researcher **vtim**, and the vendor released a patch that adds stricter return-value validation; administrators are being urged to update immediately.
Jun 18, 2026