- Critical RCE vulnerability in Everest Forms Pro (CVE‑2026‑3300) actively exploited
- Attackers create a malicious “diksimarina” administrator account via PHP injection
- Nearly 30,000 redemption attempts blocked; administrators are asked to fix and block key IP addresses
Security researchers are warning of an ongoing hacking campaign targeting some WordPress websites using a popular plugin tool.
Wordfence claimed that Everest Forms Pro, a popular WordPress plugin, was allegedly used to create contract, registration, payment, and other application forms, and contained a critical severity vulnerability that allowed malicious actors to take over sites entirely.
The bug was described as a remote code execution (RCE) flaw via PHP code injection. It is tracked as CVE-2026-3300 and received a severity rating of 9.8/10 (critical). This affects all versions of the plugin up to and including 1.9.12.
Patched months ago
Wordfence now warns that the flaw is being actively used to create malicious administrator accounts on vulnerable websites:
“The attacker submits a value for a text field that begins with a single quote to close the literal string, followed by a PHP statement that calls wp_insert_user() to create a new administrator account with the username ‘diksimarina’,” Wordfence warned in its report.
“The final comment marker // ensures that the rest of the generated PHP code, including the closing quote, is treated as a comment and does not cause a syntax error.” “When the form is processed and the calculation is evaluated, the injected PHP code is executed and the malicious administrator account is created.”
By creating an administrator account, malicious actors can do almost anything with the website, including exfiltrating stored files, redirecting visitors, or even spreading malware.
The bug was first revealed in February this year and in mid-March, Everest developer Forms released a patch. Wordfence says the exploitation attempts began about a month later, in mid-April. So far, it has foiled nearly 30,000 attempts, most of which came from two IP addresses.
Administrators concerned about being potential targets should block both 202.56.2 IP addresses[.]126 and 209.146.60.26, and should examine the log files for the string “diksimarina”.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
