Critical Remote Code Execution in Everest Forms Pro (CVE‑2026‑3300) Enables WordPress Site Takeover
What It Is – A critical unauthenticated RCE flaw in the Everest Forms Pro WordPress plugin (versions 1.9.12 and earlier) allows attackers to inject arbitrary PHP via the Complex Calculation feature and gain full administrator control of the host site.
Exploitability – Active exploitation observed in the wild since April 2026; Wordfence telemetry reports >29 k blocked attempts. Public PoC exists in the form of crafted form submissions; CVSS v3.1 ≈ 9.8 (Critical).
Affected Products – Everest Forms Pro (commercial add‑on for the Everest Forms core plugin) running on WordPress sites.
TPRM Impact – A compromised third‑party website can become a launchpad for supply‑chain attacks, data exfiltration, and brand damage for any organization that embeds the plugin in its web presence or relies on it for customer‑facing forms.
Recommended Actions –
- Immediately upgrade to Everest Forms Pro ≥ 1.9.13 (the March 2026 patch).
- Block the two malicious IPs (202.56.2.126, 209.146.60.26) at the firewall level.
- Audit WordPress admin accounts for unauthorized users and rotate all privileged credentials.
- Deploy a Web Application Firewall (WAF) rule to strip single‑quote characters from form fields or disable the Complex Calculation feature until patched.
- Review logs for suspicious form submissions and monitor for newly created admin accounts.
Source: BleepingComputer