9 June 2026 WordPress Security

Everest Forms Pro CVE-2026-3300: The WordPress RCE Exploit With 29,000 Attacks — Is Your Site at Risk?

A critical remote code execution flaw in the Everest Forms Pro WordPress plugin — tracked as CVE-2026-3300 with a CVSS score of 9.8 — has been under active exploitation since April 2026, with Wordfence reporting more than 29,000 blocked attack attempts. The flaw requires no authentication: any visitor to a site running a vulnerable version can trigger arbitrary PHP code execution. With the US Cybersecurity and Infrastructure Security Agency (CISA) now listing it on its Known Exploited Vulnerabilities catalogue, and June 2026 coverage confirming attacks are continuing, Australian WordPress site owners need to act quickly.

Disclosure: This post contains affiliate links. We only recommend tools we've researched and trust. If you purchase through our links, we may earn a commission at no extra cost to you.

CVE-2026-3300 Goes on CISA's Most-Wanted List

The timeline behind CVE-2026-3300 follows a now-familiar pattern in WordPress plugin security: responsible disclosure, a patch, public writeup, and then exploitation — with the gap between disclosure and active attack measuring less than two weeks.

Security researcher h0xilo submitted the vulnerability to Wordfence's bug bounty programme in February 2026. WPEverest, the developer behind Everest Forms Pro, released a fix in version 1.9.13 on 18 March 2026. Wordfence then published its full technical disclosure on 30 March 2026 — giving the developer a twelve-day head start before going public. Active exploitation in the wild was first detected on 13 April 2026, just fourteen days after disclosure.

Since then, the attacks have not stopped. Bleeping Computer reported that Wordfence's firewall had blocked more than 29,300 exploit attempts targeting the flaw. The Hacker News confirmed in June 2026 coverage that attacks were ongoing, with the Vulnerability Intelligence Report for 8 June 2026 recording sixteen attempts in the preceding twenty-four hours alone.

The US Cybersecurity and Infrastructure Security Agency (CISA) subsequently added CVE-2026-3300 to its Known Exploited Vulnerabilities (KEV) catalogue. Inclusion on the KEV list is CISA's highest-confidence public signal that a vulnerability is being exploited in the real world — not just theoretically possible. For US federal agencies, KEV listing triggers a mandatory remediation deadline. For Australian organisations, it is a clear indicator that treating this as a low-priority patch is the wrong call.

CVE-2026-3300 is classified as a PHP Code Injection vulnerability (CWE-94). The National Vulnerability Database entry confirms the CVSS 9.8 base score and notes that exploitation requires no authentication — meaning no credentials, no login, no admin access. Any visitor to a publicly accessible site running a vulnerable version of Everest Forms Pro with the Complex Calculation feature enabled is a potential attack vector.

Why Australian WordPress Site Owners Should Pay Attention

Everest Forms Pro is a commercial add-on for the Everest Forms plugin suite, designed specifically for building complex forms: payment integrations, multi-step registration workflows, booking systems, quote calculators. It is precisely the kind of plugin that small and medium Australian businesses use when they need something more capable than a basic contact form. That also makes the attack surface meaningful.

Wordfence places the direct installation count at roughly 4,000 sites. That number may seem modest compared to plugins with hundreds of thousands of installs, but it understates the exposure. Commercial plugins are often bundled with premium themes, deployed via development agencies across multiple client sites, or quietly activated as part of a hosting package and then forgotten. The actual number of sites running Everest Forms Pro — including those where it ships as a dependency — is likely considerably higher.

The broader context is stark. The Patchstack State of WordPress Security 2026 whitepaper identified 11,334 new vulnerabilities in the WordPress ecosystem in 2025 alone — a 42 per cent increase year-on-year. Of those, 46 per cent were disclosed publicly without a patch already available, meaning site owners running affected plugins had no fix to apply at the moment of greatest risk. Among heavily exploited vulnerabilities, 20 per cent were attacked within six hours of public disclosure.

CVE-2026-3300 sits in the "exploitation followed disclosure by two weeks" category, which is actually better than average. But the attacks that followed have been sustained, systematic, and clearly automated. The "diksimarina" payload — consistently observed across exploit attempts — indicates an organised campaign rather than opportunistic probing.

For Australian site owners specifically, the consequences of a successful compromise extend beyond the immediate technical damage. If a compromised WordPress site processes customer data — names, email addresses, phone numbers, dietary preferences, payment details — a successful attack could trigger notification obligations under Australia's Notifiable Data Breaches scheme. Breaches involving personal information of 50 or more individuals must be reported to the Office of the Australian Information Commissioner (OAIC). That is a compliance and reputational burden that no small business needs.

How CVE-2026-3300 Works — The PHP Injection Chain

The Complex Calculation Feature

Everest Forms Pro ships with a Calculation Addon that allows form designers to build fields that compute values dynamically — think a booking form where the total price updates as a user selects room type, duration, and extras. The feature accepts user-supplied values from form fields and feeds them into a formula engine via a function called process_filter() in the plugin's Calculation Addon class.

The problem: process_filter() concatenates those user-submitted values directly into a PHP code string. That string is then passed to PHP's eval() function, which executes it as live PHP code on the server. The only sanitisation applied to the input before it reaches eval() is WordPress's sanitize_text_field() — a function designed to strip HTML tags and normalise whitespace. It does not escape single quotes, double quotes, or any other character with meaning in PHP code context.

The result is a textbook PHP code injection flaw. A visitor submitting a crafted string in a text, email, URL, select, or radio field on any form using the Complex Calculation feature can cause the server to execute arbitrary PHP code.

What Attackers Are Actually Doing

Wordfence's firewall telemetry reveals consistent attack patterns. The most prevalent payload attempts to use the code injection to create a new WordPress administrator account with the username diksimarina and the email address diksimarina@gmail.com. The goal is straightforward: once a rogue admin account exists, attackers can log in through the standard WordPress dashboard, install backdoor plugins or themes, modify existing PHP files to add persistent access, redirect traffic to phishing pages, inject infostealer malware into pages served to site visitors, or hold the site for ransom.

The "diksimarina" naming is not random. Consistent payload strings across thousands of attacks from different source IPs indicate an automated campaign running the same tool or exploit kit. This is not a researcher probing for vulnerabilities — it is an active operation attempting to build a network of compromised WordPress sites at scale.

Who Is Actually Vulnerable

Any site running Everest Forms Pro version 1.9.12 or earlier is vulnerable if it has a form that uses the Complex Calculation feature. Patched version 1.9.13 was released 18 March 2026. Sites that auto-update or have an active maintenance plan may already be protected — but many WordPress installations, particularly those managed by non-technical owners, receive infrequent attention. Plugin update rates in the WordPress ecosystem remain surprisingly low: Wordfence and Patchstack both note that a significant proportion of known-vulnerable plugin installs persist weeks or months after a patch is available.

It is worth noting: even sites running Everest Forms Pro without the Complex Calculation feature enabled benefit from patching. A plugin version is a signal to automated scanners. Sites running 1.9.12 will be probed regardless of their configuration.

What Australian Site Owners Must Do Right Now

If your site runs Everest Forms Pro, the steps below are not optional. With active exploitation confirmed by CISA and attacks still being recorded in June 2026, this is a patch-now situation.

1. Check and update Everest Forms Pro immediately. Log into your WordPress dashboard and navigate to Plugins → Installed Plugins. Search for "Everest Forms Pro." If it is installed and running version 1.9.12 or earlier, update to 1.9.13 or the latest available version now. Do not wait for your next maintenance window.

2. Audit your WordPress administrator accounts. Go to Users → All Users and filter by the Administrator role. Look for any account you do not recognise — particularly one using the email address diksimarina@gmail.com or any other unfamiliar email. If you find an unauthorised admin account, your site has very likely been compromised. Delete the account, change all remaining admin passwords immediately, and proceed to step 4.

3. Check for modified core files. Look for the presence of a file named wp-comments-posts.php in your site root — this is a known post-exploitation indicator. Review wp-config.php for injected PHP code that was not there before. If you are on cPanel or a similar hosting control panel, the File Manager can help with this; many hosts also offer malware scanning tools built into their dashboards.

4. Deploy a Web Application Firewall before the next wave hits. Patching closes CVE-2026-3300, but a WAF is the layer that protects you against the next unpatched plugin flaw — and against attempts to exploit a vulnerability before you've had a chance to update. Sucuri's WAF sits in front of your site and blocks malicious requests — including PHP injection payloads — before they reach WordPress. Sucuri also offers a malware removal service if you suspect your site has already been compromised; their team can clean the infection, remove backdoors, and restore clean files.

5. Take a full site backup before making any changes. If your site is already compromised, running a plugin update on a backdoored installation can sometimes trigger issues. Before updating, take a full backup including the database. Most reputable AU hosting providers offer one-click backup through their control panel.

6. Wordfence users: confirm your firewall rules are current. Wordfence premium subscribers received blocking rules for CVE-2026-3300 at the time of Wordfence's March 2026 disclosure. Free tier users received protection on 8 June 2026. If you are on the free tier and have not recently seen a rules update prompt, check your Wordfence dashboard.

The ASD's Essential Eight framework recommends patching applications within 48 hours when a critical vulnerability is actively exploited. If your organisation is trying to align with the Essential Eight — and the Australian Government now strongly encourages this for businesses of all sizes — CVE-2026-3300 is exactly the kind of flaw that warrants same-day response.

Beyond This Patch: Building a WordPress Site That Survives the Next One

CVE-2026-3300 will be resolved the moment you update to Everest Forms Pro 1.9.13. But the pattern it represents — a plugin's premium feature executing unsanitised user input, a patch that arrives weeks before exploitation starts, and then an automated campaign that persists for months — is not unusual. It is, per the Patchstack 2026 data, becoming the norm.

The most useful thing any WordPress site owner can do after patching this specific vulnerability is to use it as a prompt to assess their broader security posture. A few practical considerations:

Audit your installed plugins ruthlessly. The average WordPress site runs somewhere between 10 and 20 plugins. Each one is a potential attack surface. If you installed Everest Forms Pro for a specific feature that was later removed from your site, deactivate and delete the plugin — inactive plugins still present a version fingerprint to scanners and, in some cases, still execute code. Remove what you are not using.

Consider managed update services. For site owners who are not monitoring security feeds daily, auto-updates with staging-environment testing reduce the window between patch release and deployment. Several Australian hosting providers now offer this as a managed service for WordPress. The trade-off is occasionally a plugin update that breaks a visual element; the trade-off for not updating is CVE-2026-3300.

Monitor CISA's KEV catalogue as a practical threat feed. The catalogue is public and free. Adding a periodic review of new KEV entries to your routine takes minutes. When a piece of software you rely on appears on the list, you know the exploitation risk is confirmed — not theoretical. This is particularly useful for site owners who manage multiple WordPress installations for clients.

Understand what data your forms collect. Everest Forms Pro is used for payment forms, registration forms, and booking systems. If your forms handle personal information — and under Australia's Privacy Act, even names and email addresses qualify — you have an obligation to protect that data. A compromised form that silently forwards submissions to an attacker is not just a technical problem; it is a potential Notifiable Data Breach. Reviewing your form configurations and ensuring sensitive data is not being unnecessarily stored in the WordPress database is worthwhile regardless of CVE-2026-3300.

File integrity monitoring matters more than most site owners realise. The "diksimarina" attack creates a rogue admin account — which is relatively visible. More sophisticated post-exploitation activity adds lines to existing PHP files, creating persistent access that survives a plugin update or even a CMS reinstall if the database is left in place. Tools that baseline your WordPress file system and alert on unexpected changes are a genuine defence-in-depth measure for sites handling customer data.

The Australian Cyber Security Centre's guidance consistently emphasises that patching is the highest-return security action available to organisations of any size. CVE-2026-3300 is a reminder of why that guidance exists: a known, patchable vulnerability with a publicly available fix has been generating thousands of attacks for two months. The path to a compromised site often runs directly through an unread plugin update notification.