WordPress has seen over 29,300 attacks against its security, which means that security researchers are seeing a repeated focus on one particular target; the Everest Forms Pro plugin.
The attacks are tied to a CVE-2026-3300 vulnerability; classified as critical by the Common Vulnerability Scoring System (CVSS), with a score of 9.8/10. This type of vulnerability could allow a hacker to gain access and control of a compromised website.
Given this large number of WordPress websites that could be susceptible to this type of attack, website owners should understand the impact of the vulnerability as well as how the attack will be executed so they can take appropriate precautions to protect their websites. Let’s explore it more deeply.
Why Are Hackers Targeting This WordPress Plugin?
This vulnerability has a critical-severity score of 9.8 out of 10 and can be exploited by attackers without having valid login credentials, so this vulnerability poses a severe risk for your website. The number of active installations of Everest Forms Pro applications impacted by this vulnerability is estimated to be over 4,000, which, without patches being made, could lead to unauthorized creation of administrators and/or full access and control of the website.
If your website uses Everest Forms Pro plugin, the message is clear: there should not be a delay in acting on this warning – you need to take immediate action. In this article, I will explain what CVE-2026-3300 is, how the attacks work, the associated risks, and what you need to do today to secure your WordPress website.
CVE-2026-3300 Timeline: From Discovery to Active Exploitation
In the last 24 hours alone, at least 16 new attack attempts have been recorded. The vulnerability followed a rapid timeline from discovery to active exploitation.
| Date | Event |
| February 2026 | Security researcher h0xilo reports the flaw |
| March 18, 2026 | Patch released in Everest Forms Pro 1.9.13 |
| March 30, 2026 | Public disclosure of vulnerability |
| April 13, 2026 | Active exploitation begins |
| May 16, 2026 | Massive spike of 17,900+ attacks detected |
| June 2026 | Exploitation attempts continue |
The most alarming aspect of this vulnerability is that attackers started exploiting the vulnerability to exploit the website almost one month after the patch for this vulnerability was released. Therefore, many plugin owners clearly did not update their plugins in a timely manner.
29,300+ Attack Attempts: What the Numbers Reveal
According to the Wordfence vulnerability report, attacks targeting this vulnerability began on April 13, 2026, approximately two weeks after its public disclosure. This attack campaign demonstrates the need to take website security seriously, considering the following numbers:
- 29,300+ attempts to exploit this vulnerability
- 17,900+ attacks in 1 day maximum
- Approx. 4,000 installations of Everest Forms Pro currently active
- CVSS Severity Score of 9.8/10 (Critical)
- All versions of Everest Forms Pro prior to 1.9.12
- The most recent version is 1.9.13
While these numbers are indicative of the number of attempts made by attackers to exploit this vulnerability are based only on observed attacks, the number of attempts to exploit this vulnerability is likely to be significantly greater than what is reported.
How Hackers Exploit CVE-2026-3300
Everest Forms Pro’s Complex Calculation feature is where all of these vulnerabilities stem from. This part of the plugin accepts input from forms created on the website, then dynamically processes the user’s submission. When executing code using PHP’s dangerous eval() function, however, there seems to be an issue with how user inputs are handled properly throughout its programming.
In simple terms:
User Input → Insufficient Sanitization → Dynamic PHP Execution → Remote Code Execution
The improper sanitization of characters has allowed attackers access to public web forms that accept user submissions; by injecting malicious PHP code directly into the website and executing it without any means of authenticating a login’ before running their exploit, they can run malicious PHP code directly on the server itself. Let’s move towards the reasons for this vulnerability.
What Caused the Everest Forms Pro Security Flaw?
This security weakness is the result of a combination of multiple security flaws:
Improper Input Filtering
Although the WordPress Plugin will filter the user’s input, it does not filter out the necessary characters that may be used as part of a code injection attack.
Unsafe Use of eval()
Using the eval() function to execute dynamically created code in PHP is a frequent source of security issues. This is generally regarded as an unsafe practice.
Publicly Accessible Forms
Attackers can exploit the security flaw through publicly available forms, because they do not need credentials before accessing them.
Code Injection Vulnerability
This vulnerability is classified as CWE-94: Improper Control of Code Generation, as it is an issue associated with a common code execution vulnerability.
Why Cybersecurity Experts Are Sounding the Alarm
Security professionals view CVE-2026-3300 as a serious incident because of the three significant risks associated with it:
- High Severity (9.8)
- No need for authentication
- Potential to completely compromise a website
Despite the issuance of a security patch to fix this vulnerability, security researchers continue to observe exploitation activity against this vulnerability on a regular basis, indicating that website vulnerabilities will remain targets for exploitation.
Experts agree that the best option is to upgrade to the latest version of the plugin available.
What Happens If Your WordPress Site Is Compromised?
If an exploit is successful, the attacker may gain virtually unlimited control over a WordPress site. Let’s have a look at Potential Consequences:
Rogue Administrator Accounts
An attacker can create an unauthorized administrative account to maintain access to the compromised site.
Malware Deployment
Attackers can upload malicious scripts, web shells, and back doors to your website.
Content Manipulation
Attackers can modify pages, blog posts, forms, and branding elements on your website.
Data Exposure
Considerable amounts of sensitive data that are stored on WordPress (example: credit card numbers) can be exposed.
Complete Site Takeover
The attackers can have complete administrative control over your website.
Consequences for businesses: SEO loss, downtime, customer trust damaged, monetary loss.
How to Secure Your WordPress Website Immediately
If you are using Everest Forms Pro you should take immediate measures.
1) Update Plugin Right Now
Update to Everest forms Pro version 1.9.13 or higher as this version has the official security fix for CVE-2026-3300.
2) Review administrator accounts
Review the list of your users and check for admin accounts that are not yours. Be sure to delete any unknown admin accounts.
3) Monitor Website Activity
Review logs regularly to ensure that no unauthorized changes have been made.
4) Enable Security Monitoring
Implement a reputable WordPress security solution to catch any malicious activities or suspicious file changes.
5) Uninstall Unused Plugins
Any plugins that you do not use create additional vulnerabilities for your website to be attacked.
6) Enable 2-Factor Authentication
Adding 2FA to your website will greatly reduce the risk of you losing access to your website.
7) Perform Regular Security Audits
Regular website audits will allow you to find vulnerabilities before the attackers do.
CVE-2026-3300 FAQs
CVE-2026-3300 is a critical Remote Code Execution vulnerability that is present in all versions of Everest Forms Pro prior to version 1.9.12.
CVE-2026-3300 affects Everest Forms Pro for WordPress.
It carries a CVSS score of 9.8/10, making it a critical security issue.
Yes, there have been approximately 29,300 attempts to exploit this vulnerability.
Everest Forms Pro version 1.9.13 and newer will no longer be subject to exploitation.
Yes, attackers may exploit this vulnerability without the need for authentication using publicly accessible forms..
Successful exploitation of CVE-2026-3300 may allow unauthorized access to the system or a complete takeover of the website.
Final Warning: Update Before Attackers Find Your Site
29,300 attempted attacks have been made against vulnerable sites (to CVE-2026-3300) to date by potential attackers looking for sites with CVE-2026-3300 that haven’t been patched yet.
If you have Everest Forms Pro on your site, make it a priority to upgrade to version 1.9.13 or higher immediately. In addition to this incident, continuing to keep your plugins updated and performing security audits, as well as implementing solid website security practices will provide you with the best overall protection against future threats.
Delays in applying security updates usually end up becoming an expensive mistake, and taking a few minutes each day to secure your site today could save you from a significant breach tomorrow.
