Threat actors are actively exploiting CVE-2026-3300, a critical remote code execution (RCE) vulnerability with a CVSS score of 9.8 in the Everest Forms Pro WordPress plugin. Active exploitation began on April 13, 2026—57 days after the release of the 1.9.13 security patch and 26 days following the public disclosure on March 30. Wordfence telemetry indicates that over 29,300 attack attempts have been blocked, with a single-day peak of more than 17,900 requests recorded on May 16.
- CVE-2026-3300 affects Everest Forms Pro versions up to 1.9.12: an unauthenticated RCE via eval() within the Complex Calculation component.
- The 1.9.13 patch has been available since March 18, 2026, yet active exploitation started on April 13 and continues, with 16 attempts recorded in the last 24 hours.
- The most prevalent payload creates an administrator account named 'diksimarina'; the IP address 202.56.2.126 is responsible for over 26,300 blocked requests.
- Wordfence Premium firewall rules were active as of February 27, and free rules as of March 29; however, virtual protection has not translated into comprehensive effective patching.
The Mechanism: When sanitize_text_field() Meets eval()
The root of the flaw lies in the process_filter() function of the Calculation Addon. This component dynamically constructs PHP code strings by concatenating user-submitted values from form fields and subsequently passing them to eval(). According to the Wordfence analysis reported by The Hacker News: "This is due to the Calculation Addon's process_filter() function concatenating user-submitted form field values into a PHP code string without proper escaping before passing it to eval()."
While the sanitize_text_field() function is applied to the input, it fails to neutralize single quotes or other characters significant to the PHP execution context. As Wordfence documents: "The sanitize_text_field() function applied to input does not escape single quotes or other PHP code context characters. This makes it possible for unauthenticated attackers to inject and execute arbitrary PHP code on the server by submitting a crafted value in any string-type form field."
Attackable fields include text, email, URL, select, and radio buttons. The only prerequisite is that the Complex Calculation feature must be enabled. The attack endpoint is /wp-admin/admin-ajax.php, which is accessible without authentication. The payload construction exploits the ability to break out of the PHP string context and inject arbitrary instructions.
"More than 29,300 exploit attempts targeting the defect have been blocked to date. Of these, 16 attack attempts occurred in the last 24 hours" — Wordfence, via The Hacker News
The Patch Gap Timeline: A 57-Day Window of Exposure
The vulnerability was reported to the Wordfence bug bounty program by researcher h0xilo. The timeline reveals a systematic disconnect between the availability of a fix and its actual adoption:
On March 18, 2026, WPEverest released version 1.9.13. Previously, on February 27, Wordfence deployed firewall rules for Premium customers, anticipating the public fix by nearly three weeks. On March 29, the same protection reached free users. Public disclosure followed on March 30, and active exploitation began on April 13.
The firewall rules filtered malicious traffic before the patched code was widely accessible, but this virtual protection did not eliminate the underlying vulnerability. Administrators who failed to update the plugin—despite WAF alerts—left the flaw active in their codebase. The result is a classic "patch gap" scenario: perimeter defense masked technical debt, delaying necessary corrective action.
A significant escalation occurred on May 16, 2026, with over 17,900 attempts in 24 hours, according to Wordfence data reported by Infosecurity Magazine. Cybersecurity News adds that the IP 202.56.2.126 is responsible for over 26,300 blocked requests, with other active addresses including 209.146.60.26, 15.235.166.18, 2402:1f00:8000:800::40db, and 185.78.165.153.
The 'diksimarina' Pattern: Automation and Commodity Exploitation
The most recurring payload in Wordfence telemetry creates an administrator account with the username 'diksimarina' and the email address diksimarina@gmail.com. This Indicator of Compromise (IOC) is documented across four independent sources, with converging data on the account identity and attack volumes.
The use of a predefined account with a consistent name suggests an automated toolkit rather than targeted manual attacks. The repeatability of the pattern, combined with traffic concentration from a few IPs, indicates that the exploit is likely integrated into a WordPress commodity exploitation framework—tools designed to scan, identify vulnerable versions, and deploy standardized payloads.
The Everest Forms Pro plugin has approximately 4,000 active installations; however, this modest number does not mitigate the risk. Every compromised site can serve as a pivot for attacks on the hosting environment, data exfiltration, the distribution of further payloads, or recruitment into a botnet. Unauthenticated RCE on WordPress remains one of the most efficient vectors for infrastructure compromise, regardless of a specific plugin's popularity.
Immediate Mitigation Steps
- Verify the installed version of Everest Forms Pro: Update immediately to 1.9.13 or higher if using any release up to 1.9.12.
- Audit WordPress administrator accounts: Remove any 'diksimarina' users or other unrecognized accounts created in recent months.
- Examine access logs for POST requests to
/wp-admin/admin-ajax.phporiginating from the documented IPs, particularly 202.56.2.126. - Evaluate whether the Complex Calculation functionality is necessary: If not, disable it as an additional containment measure.
Sources do not specify the number of successful compromises; available telemetry refers exclusively to blocked attempts. No infrastructure overlaps currently link the actor responsible for the 'diksimarina' pattern to known campaigns. Furthermore, the dossier does not document whether WPEverest released an advisory independent of the patch, nor whether CVE-2026-3300 has been added to the CISA KEV catalog.
The Lesson of the Open Window
What makes this case significant is not technical sophistication—an eval() on unsanitized input is a well-documented bug class—but the persistence of the vulnerability despite multiple lines of defense. The firewall filtered, the patch was released, and the disclosure provided warning: yet thousands of attempts continue months later on systems that remain exposed.
The 'diksimarina' pattern, with its predictable identity, serves as both an indicator of automation and a forensic trace. Any administrator managing a WordPress site with this plugin has precise search parameters to verify their compromise status. The question is not whether the exploit works—it does—but how many administrators will apply the fix before the next spike in attacks reaches them.
Information has been verified against cited sources and is current at the time of publication.
Sources
- https://thehackernews.com/2026/06/hackers-exploit-critical-everest-forms.html
- https://cybersecuritynews.com/wordpress-plugin-vulnerability-exploit/
- https://www.infosecurity-magazine.com/news/everest-forms-pro-rce-actively/
- https://www.sentinelone.com/vulnerability-database/cve-2026-3300/
- https://techlomedia.in/2026/06/critical-everest-forms-pro-vulnerability-under-active-attack-124308/
- https://thehackernews.com/
- https://thehackernews.com/p/upcoming-hacker-news-webinars.html
- https://thehackernews.com/search/label/Threat%20Intelligence
- https://thehackernews.com/search/label/Vulnerability
- https://thehackernews.com/search/label/Cyber%20Attack