CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 04, 2026

Hackers Actively Exploiting WordPress Plugin Vulnerability to Inject Malicious PHP Code

Cybersecurity News Archived Jun 04, 2026 ✓ Full text saved

Hackers are actively exploiting a critical remote code execution (RCE) vulnerability in the Everest Forms Pro WordPress plugin, allowing unauthenticated attackers to inject and execute arbitrary PHP code on vulnerable websites. The flaw, tracked as CVE-2026-3300 with a CVSS score of 9.8, affects all versions up to 1.9.12 and has already been observed in widespread […] The post Hackers Actively Exploiting WordPress Plugin Vulnerability to Inject Malicious PHP Code appeared first on Cyber Security

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Hackers Actively Exploiting WordPress Plugin Vulnerability to Inject Malicious PHP Code By Abinaya June 4, 2026 Hackers are actively exploiting a critical remote code execution (RCE) vulnerability in the Everest Forms Pro WordPress plugin, allowing unauthenticated attackers to inject and execute arbitrary PHP code on vulnerable websites. The flaw, tracked as CVE-2026-3300 with a CVSS score of 9.8, affects all versions up to 1.9.12 and has already been observed in widespread exploitation campaigns. The vulnerability was publicly disclosed on March 30, 2026, after the vendor released a patch on March 18, 2026. Despite the availability of a fix, threat actors began actively targeting unpatched installations on April 13, 2026. According to Wordfence threat intelligence data, more than 29,300 exploitation attempts have been blocked, with a significant spike of over 17,900 attacks recorded on May 16 alone. Total Number of Exploits Blocked (source: Wordfence) WordPress Plugin Exploitation The root cause of the issue lies in the plugin’s “Complex Calculation” feature, specifically within the process_filter() function. This function dynamically constructs PHP code by concatenating user-supplied form inputs, then evaluates it with the dangerous eval() function. Although input is processed with sanitize_text_field(), the function fails to escape critical characters, such as single quotes, which allows attackers to bypass string context and inject malicious PHP code. This design flaw allows unauthenticated attackers to craft malicious payloads through standard form fields such as text, email, URL, select, and radio inputs. Shows where Wordfence blocks exploitation attempts before compromise(source: Wordfence) By injecting a single quote followed by arbitrary PHP code and a comment sequence, attackers can manipulate the generated code and achieve execution on the server. Observed attack patterns indicate that threat actors primarily exploit this vulnerability to create rogue administrator accounts. In one common exploitation attempt, attackers inject PHP code that calls WordPress’s wp_insert_user() function to create a new admin user with the username “diksimarina.” Once administrative access is established, attackers can upload webshells, modify site content, deploy backdoors, or pivot further into the hosting environment. Security telemetry identified multiple IPs actively exploiting Everest Forms Pro, generating thousands of malicious requests and serving as strong IOCs for blocking and monitoring. High-Activity Malicious IP Addresses: 202.56.2[.]126: Tens of thousands of blocked requests. 209.146.60[.]26: Several thousand exploit attempts. 15.235.166[.]18: Hundreds of malicious requests. 2402:1f00:8000[:]800::40db: Active IPv6 exploit activity. 185.78.165[.]153: Confirmed hostile scanning activity. blocked exploit attempts by IP (source :wordfence ) The attacks typically target the /wp-admin/admin-ajax.php endpoint, submitting specially crafted POST requests designed to exploit the vulnerable calculation logic. The vulnerability poses a significant risk because it does not require authentication and can be triggered remotely through publicly accessible forms. Any website using Everest Forms Pro with the Complex Calculation feature enabled is particularly exposed. Wordfence customers received early protection through firewall rules as early as February 27, 2026, while free users were protected starting March 29, 2026. However, relying solely on virtual patching is insufficient, as updating to the latest patched version, 1.9.13, remains critical to mitigate the risk fully. Website administrators are strongly advised to update the plugin immediately, audit user accounts for unauthorized administrator creation, and review server logs for suspicious requests. Indicators of compromise include unknown admin users, especially those matching observed attacker patterns, and requests originating from known malicious IP addresses. Given the active exploitation and low barrier to attack, this vulnerability represents a high-impact threat to WordPress environments, reinforcing the need for timely patching and continuous monitoring. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news vulnerability Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Oracle Critical Security Update – Patch for 35 New Vulnerabilities Across Products Critical KMW CCTV Vulnerability Let Attackers Gain Unauthorized Access to Camera Feeds Microsoft Releases KB5089573 for Windows 11 to Fix Patch Tuesday Install Issues IBM WebSphere Server Vulnerable to Remote Code Execution Attack Via Crafted Request Malicious NuGet Package as Sicoob SDK Exfiltrates Banking Passwords Latest News Cyber Security Comodo Internet Security 0-Day Vulnerability Lets Attacker Crash the User’s Windows System Cyber Security News Cisco Unified Communications Manager Vulnerability Exposed Along With PoC Exploit Code Android CISA Warns of Android Framework Integer Overflow Vulnerability Exploited in Attacks Cyber Security News Hackers Use Fake Chrome Web Store Copyright Notices to Steal Google Credentials Cyber Security News Acer Working to Patch Wave 7 Router 0-day Vulnerability
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 04, 2026
    Archived
    Jun 04, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗