Attackers launched more than 29,300 exploitation attempts against WordPress sites running Everest Forms Pro between April 13 and June 6, according to firewall telemetry data published by Wordfence. The campaign exploits CVE-2026-3300, a critical code execution vulnerability in the commercial plugin's Complex Calculation feature, to create administrator accounts with the username "diksimarina" and establish persistent control over breached sites.
TL;DR: Hackers actively exploit CVE-2026-3300 in Everest Forms Pro versions 1.9.12 and earlier to inject PHP code, create rogue admin accounts, and take over WordPress sites; patch released March 18 but exploitation began April 13.
How the Vulnerability Enables Site Takeover
CVE-2026-3300 targets Everest Forms Pro's Complex Calculation feature, which accepts values from form fields and inserts them into PHP code strings before executing the result using PHP's eval() function. The plugin applies sanitize_text_field() to user input, but that function does not escape single quotes or other characters that alter PHP syntax, according to Wordfence's June 6 disclosure.
"The attacker submits a value for a text field that begins with a single quote to close the wrapping string literal, followed by a PHP statement that calls wp_insert_user() to create a new administrator account with the username 'diksimarina,'" Wordfence researcher h0xilo explained in the security report. The injected code uses a trailing comment marker (//) to prevent syntax errors in the remaining generated PHP.
When the form processes the calculation, the malicious PHP executes and the rogue administrator account appears in the WordPress user database. Administrator-level access grants attackers authority to modify site content, install backdoored plugins or themes, access private databases, and deploy webshells for long-term persistence.
Timeline From Disclosure to Active Exploitation
Researcher h0xilo submitted CVE-2026-3300 to Wordfence in February 2026. WPEverest, the plugin developer, released version 1.9.13 on March 18 to patch the flaw. Exploitation began 26 days later on April 13, with Wordfence firewall logs showing concentrated attack traffic from two IP addresses: 202.56.2[.]126 and 209.146.60.26.
Wordfence data shows the vulnerability affects Everest Forms Pro versions 1.9.12 and earlier. Everest Forms Pro is a premium add-on for the free Everest Forms plugin, marketed for building contact forms, payment forms, and registration flows in WordPress. No public install-count data exists for the commercial plugin, but exploitation volume suggests meaningful deployment across client sites.
The March 18 patch eliminated the eval() execution path and applied proper input escaping to calculation fields. Sites still running version 1.9.12 or earlier remain vulnerable to unauthenticated remote code execution.
Indicators of Compromise and Remediation Steps
Website administrators should audit administrator account lists for any user named "diksimarina" and review server logs for POST requests to form endpoints containing single-quote characters followed by PHP function calls. Wordfence published a list of offending IP addresses beyond the two primary sources; defenders should block these at the firewall level and correlate them against access logs from the past eight weeks.
Similar exploitation patterns emerged in the Kirki WordPress plugin vulnerability disclosed earlier this year and the WP Maps Pro flaw that enabled unauthenticated admin account creation. Both campaigns followed the disclosure-to-exploitation timeline CVE-2026-3300 demonstrates: patches released, sites left unpatched, automated scanners finding vulnerable targets within weeks.
For white-label agencies managing Everest Forms Pro across client portfolios, the remediation protocol requires immediate update deployment to version 1.9.13 or later, followed by a database audit for the "diksimarina" account on every site. Logs should be checked for the injected wp_insert_user() pattern in form submission data going back to April 13.
Why This Matters Now
CVE-2026-3300 represents the fourth major WordPress plugin vulnerability disclosed in June 2026 with confirmed active exploitation, following flaws in All-In-One Security, Gravity Forms, and Account Switcher. The recurring pattern—commercial or widely deployed plugins releasing patches followed by exploitation within 30 days—exposes a structural gap in white-label agency security workflows: patch deployment cadence trails attacker scanning speed.
Agencies running centralized maintenance contracts can force-update Everest Forms Pro across client sites via WP-CLI or management platforms like ManageWP or MainWP. Agencies without those update mechanisms face manual site-by-site remediation, a labor cost that compounds with every subsequent vulnerability. The 29,300 blocked exploitation attempts Wordfence logged represent only the subset of sites protected by that specific firewall; unprotected sites running vulnerable versions likely experienced successful breaches.
The "diksimarina" username serves as a reliable forensic marker for this campaign, but attackers can modify exploit payloads to create differently named accounts or inject webshells directly. Agencies should treat the username check as a minimum baseline and pair it with broader architecture audits that surface unauthorized code changes, unfamiliar plugins, or database anomalies across white-label portfolios.