- Critical RCE Flaw in Everest Forms Pro (CVE‑2026‑3300) Actively Exploited
- Attackers create fraudulent “diksimarina” administrator account via PHP injection
- Nearly 30,000 acquisition attempts blocked; Administrators urged to patch and block key IPs
Security researchers are warning of an ongoing hacking campaign targeting certain WordPress websites using a popular plugin tool.
Wordfence has claimed that Everest Forms Pro, a popular WordPress plugin, which was allegedly being used to create contracts, registrations, payments and other application forms, had a critical severity vulnerability that allowed malicious actors to take over sites entirely.
The bug was described as a remote code execution (RCE) flaw using PHP code injection. It is tracked as CVE-2026-3300 and was assigned a severity rating of 9.8/10 (critical). It affects all versions of the plugin up to and including 1.9.12.
Patched months ago
Wordfence now warns that the flaw is being actively abused to create malicious administrator accounts on vulnerable websites:
“The attacker sends a value for a text field that begins with a single quote to close the literal string, followed by a PHP statement that calls wp_insert_user() to create a new administrator account with the username ‘diksimarina,'” Wordfence warned in its report.
“The trailing comment marker // ensures that the rest of the generated PHP code, including the closing quote, is treated as a comment and does not cause a syntax error.” “When the form is processed and the calculation is evaluated, the injected PHP code is executed and the malicious administrator account is created.”
By creating an administrator account, malicious actors can do almost anything with the website, including extracting stored files, redirecting visitors, or even distributing malware.
The bug was first revealed in February of this year, and in mid-March, developer Everest Forms released a fix. Wordfence says the exploitation attempts began about a month later, in mid-April. So far, it has thwarted nearly 30,000 attempts, most of which came from two IP addresses.
Administrators concerned about being potential targets should block the two 202.56.2 IP addresses[.]126 and 209.146.60.26, and you should check the log files for the string “diksimarin”.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
