Hackers Exploiting Critical WordPress Plugin Flaw in Thousands of Daily Attacks

Urgent: Everest Forms Pro WordPress plugin flaw under attack. Update to patch 1.9.13 to prevent unauthorized admin access.

By Content Team

Jun 5, 2026

ON THIS PAGE

Share

---

ON THIS PAGE

Want more insights like this?

Subscribe to our newsletter to get the latest software protection strategies delivered to your inbox.

By submitting your email, you consent to Codekeeper contacting you and agree to our privacy policy.

A critical vulnerability in the Everest Forms Pro WordPress plugin is under active attack, with over 29,300 exploitation attempts blocked since April 13, 2026. The flaw, CVE-2026-3300, scores a near-perfect 9.8 on the CVSS scale and affects all versions up to 1.9.12.

The bug lives in the plugin's "Complex Calculation" feature, where user inputs are passed directly into PHP's eval() function without proper sanitization. Attackers don't need credentials — they just submit a crafted form field. Most attacks aim to create rogue admin accounts, with one common payload creating a user named "diksimarina."

A patch (version 1.9.13) has been available since March 18. Update immediately.

Source: Cybersecurity News

Share this article

Have questions about protecting your software?

Our escrow experts are standing by to help.

Book a free demo

YOU MAY ALSO LIKE

CISA Issues Urgent Warning Over Actively Exploited Langflow AI Platform Vulnerability

Mar 28, 2026

Critical Cisco SD-WAN Vulnerability Under Active Attack

May 15, 2026

Google Warns of Hackers Using AI to Create Working Zero-Day Exploit

May 12, 2026

Qualcomm Zero-Day Exploited in Targeted Android Attacks

Mar 4, 2026