A critical unauthenticated remote code execution vulnerability (CVE-2026-3300, CVSS 9.8) in the Everest Forms Pro WordPress plugin allows attackers to inject malicious PHP code via the plugin's Complex Calculation feature. The flaw impacts versions 1.9.12 and earlier, enabling attackers to create rogue administrator accounts and gain full website control. A patch was released on March 18; administrators should upgrade immediately and review logs for suspicious activity, particularly the creation of accounts with the username "diksimarina".
Vulnerability Management Hackers exploit critical Everest Forms Pro vulnerability for website control June 8, 2026 Share By SC Staff (Credit: Bilal Ulker – stock.adobe.com) Hackers are actively exploiting a critical vulnerability, CVE-2026-3300, in the Everest Forms Pro WordPress plugin, allowing them to gain complete control of affected websites. This security issue impacts versions 1.9.12 and earlier and can be exploited without authentication to execute arbitrary code on the server, as reported by Bleeping Computer. The vulnerability resides within the plugin's Complex Calculation feature, which processes user input and inserts it into a PHP code string for execution via the "eval()" function. Although a sanitization function is used, it fails to escape characters like single quotes, enabling attackers to inject malicious PHP code. This allows them to close the intended string, inject arbitrary code, and comment out the remainder, leading to code execution. Exploitation in the wild has been observed, with attackers creating rogue administrator accounts using the username "diksimarina". This administrator-level access grants attackers full control to modify content, install malicious plugins, plant backdoors, and access sensitive databases. A patch was released on March 18, but active exploitation began on April 13, with thousands of attempts blocked. Wordfence recommends blocking specific IP addresses and advises administrators to review logs for suspicious activity, particularly the username "diksimarina". Source: Bleeping Computer SC Staff Related Vulnerability Management AI helps uncover critical 4-year-old Zcash vulnerability SC Staff June 8, 2026 The bug, which existed from Orchard's activation in May 2022 until an emergency fix on June 1, 2026, involved a flawed validation check for transaction inputs. Vulnerability Management Hackers actively exploit SolarWinds Serv-U flaw to crash servers, CISA warns SC Staff June 5, 2026 The vulnerability, tracked as CVE-2026-28318, is a denial-of-service flaw in SolarWinds Serv-U file transfer software. Vulnerability Management Critical Redis vulnerability CVE-2026-23479 allows remote code execution SC Staff June 4, 2026 The vulnerability, rated 8.8 by CVSS 3.1 and 7.7 by CVSS 4.0, resides in the unblockClientOnKey() function within src/blocked.c. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Bug Buffer Overflow Disassembly You can skip this ad in 5 seconds