WordPress users beware — experts claim sites are being hijacked using a critical flaw in popular Everest Forms Pro plugin - TechzLab - Tech News, Gadgets, Mobile, IT Updates & Reviews

Critical RCE flaw in Everest Forms Pro (CVE‑2026‑3300) actively exploited
Attackers create rogue admin account “diksimarina” via PHP injection
Nearly 30,000 takeover attempts blocked; admins urged to patch and block key IPs

Security researchers are warning of an ongoing hacking campaign targeting certain WordPress websites using a popular plugin tool.

Wordfence has claimed Everest Forms Pro, a popular WordPress plugin, was allegedly being used to create contract, registration, payment, and other application forms, carried a critical-severity vulnerability that allowed malicious actors to take over the sites entirely.

The bug was described as a Remote Code Execution (RCE) flaw via PHP code injection. It is tracked as CVE-2026-3300 and was given the severity rating of 9.8/10 (critical). It affects all versions of the plugin up to, and including, 1.9.12.

Patched months ago

Wordfence is now warning that the flaw is being actively abused in the wild to create malicious admin accounts on vulnerable websites:

“The attacker submits a value for a text field that begins with a single quote to close the wrapping string literal, followed by a PHP statement that calls wp_insert_user() to create a new administrator account with the username ‘diksimarina’,” Wordfence warned in its report.

“The trailing // comment marker ensures the rest of the generated PHP code, including the closing quote, is treated as a comment and does not cause a syntax error.” “When the form is processed, and the calculation is evaluated, the injected PHP code is executed, and the malicious administrator account is created.”

By creating an admin account, malicious actors can do almost anything with the website, including exfiltrating stored files, redirecting visitors, or even serving malware.

The bug was first disclosed in February this year, and by mid-March, the Everest Forms developer released a fix. Wordfence says that exploitation attempts started roughly a month later, in mid-April. So far, it thwarted almost 30,000 attempts, most of which came from two IP addresses.

Admins worried about being potential targets should block the two IP addresses 202.56.2[.]126 and 209.146.60.26, and should review log files for the string “diksimarina.”

Via BleepingComputer

The best antivirus for all budgets

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

WordPress users beware — experts claim sites are being hijacked using a critical flaw in popular Everest Forms Pro plugin

Friday’s papers: University tells academics to avoid US, Finland’s athlete shortage, and slippery streets – Yle

NYT Strands hints and answers for Sunday, June 7 (game #826)

Unpatched Windows search URI handler issue leaks NTLMv2 hashes – SC Media

Don't miss

Faster iPhones, New Safety Features, and More

WWDC 2026 Live: Apple’s New Siri, iOS 27, Tim Cook and More

Years of emergency prep taught me how to storm-proof my solar generators