How can I protect my WordPress site from this vulnerability?

To protect your site, immediately update the Everest Forms Pro plugin to version 1.9.13 or later, monitor for unauthorized administrator accounts, and review server logs for suspicious activity.

What actions can attackers perform if they exploit this vulnerability?

Exploiting this vulnerability allows attackers to create administrator accounts, modify website content, install malicious plugins, access sensitive data, and potentially deploy backdoors for persistent access.

Critical Vulnerability in Everest Forms Pro Exploited to Hijack WordPress Sites

Q: What is CVE-2026-3300?

CVE-2026-3300 is a critical vulnerability in the Everest Forms Pro plugin for WordPress that allows unauthenticated remote code execution, enabling attackers to create rogue administrator accounts and take control of affected websites.

A severe flaw in the Everest Forms Pro plugin (CVE-2026-3300) is being actively exploited, allowing attackers to gain full control over WordPress websites by creating rogue administrator accounts.

Published: June 6, 2026

Share this on:

Executive Summary

In June 2026, a critical vulnerability (CVE-2026-3300) in the Everest Forms Pro plugin for WordPress was actively exploited by attackers to gain unauthorized control over websites. The flaw, present in versions up to and including 1.9.12, resided in the plugin's Complex Calculation feature, which improperly handled user input, allowing unauthenticated remote code execution. Exploiting this, attackers created rogue administrator accounts, enabling them to modify content, install malicious plugins, and access sensitive data. The vulnerability was patched on March 18, 2026, but exploitation began on April 13, 2026, with over 29,300 attempts blocked by security tools. This incident underscores the persistent threat posed by vulnerabilities in widely-used WordPress plugins. Website administrators are urged to promptly update plugins and monitor for unauthorized access to mitigate such risks.

Why This Matters Now

The active exploitation of CVE-2026-3300 highlights the critical need for timely updates and vigilant monitoring of WordPress plugins to prevent unauthorized access and potential data breaches.

Attack Path Analysis

An unauthenticated attacker exploited a code injection vulnerability in the Everest Forms Pro plugin to execute arbitrary PHP code on the server. This allowed the attacker to create a rogue administrator account, escalating privileges. With administrative access, the attacker could move laterally within the WordPress environment, potentially accessing other sensitive areas. The attacker established command and control by installing backdoors or web shells. They could exfiltrate sensitive data stored on the server. Finally, the attacker could deface the website or disrupt its availability.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

High

Lateral Movement

Mediuminferred

Command & Control

Mediuminferred

Exfiltration

Mediuminferred

Impact

Mediuminferred

Initial Compromise

Description

An unauthenticated attacker exploited a code injection vulnerability in the Everest Forms Pro plugin to execute arbitrary PHP code on the server.

Confidence:

High

Related CVEs

Included CVEs with severity scores, affected products, exploit status, and reference links.

CVE-2026-3300
CVSS 9.8
A critical vulnerability in Everest Forms Pro versions up to 1.9.12 allows unauthenticated remote code execution via the Complex Calculation feature, leading to potential full site compromise.
Affected Products:
WPEverest Everest Forms Pro – <= 1.9.12
Exploit Status:
exploited in the wild
References:
https://nvd.nist.gov/vuln/detail/CVE-2026-3300 https://www.wordfence.com/blog/2026/06/attackers-actively-exploiting-critical-vulnerability-in-everest-forms-pro-plugin/https://www.bleepingcomputer.com/news/security/critical-everest-forms-pro-flaw-exploited-to-take-over-wordpress-sites/

MITRE ATT&CK® Techniques

Initial Access

T1190

Exploit Public-Facing Application

Execution

T1059.001

Command and Scripting Interpreter: PowerShell

Persistence

T1078.003

Valid Accounts: Local Accounts

Privilege Escalation

T1548.002

Abuse Elevation Control Mechanism: Bypass User Account Control

Defense Evasion

T1070.004

Indicator Removal: File Deletion

Initial Access

T1566.001

Phishing: Spearphishing Attachment

Credential Access

T1003.001

OS Credential Dumping: LSASS Memory

Lateral Movement

T1021.002

Remote Services: SMB/Windows Admin Shares

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities

Control ID: 6.2

The exploitation of a known vulnerability in the Everest Forms Pro plugin indicates a failure to apply necessary security patches, violating the requirement to protect systems from known vulnerabilities.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The incident suggests inadequate implementation of a comprehensive cybersecurity policy that addresses the identification and mitigation of vulnerabilities in third-party software components.

DORA – ICT Risk Management Framework

Control ID: Article 5

The breach highlights deficiencies in the institution's ICT risk management framework, particularly in managing risks associated with third-party software vulnerabilities.

CISA ZTMM 2.0 – Asset Management

Control ID: 3.1

The exploitation of the plugin vulnerability indicates a lack of effective asset management practices, including the identification and protection of critical assets and software components.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The incident demonstrates insufficient implementation of cybersecurity risk management measures, particularly in addressing vulnerabilities in third-party software used within the organization.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Computer Software/Engineering

Critical WordPress plugin vulnerability enables unauthorized administrator account creation, threatening web applications with code execution and complete site takeover capabilities.

Marketing/Advertising/Sales

Everest Forms Pro exploitation compromises customer data collection systems, enabling attackers to manipulate lead generation forms and access sensitive marketing databases.

E-Learning

Web application vulnerabilities in registration and contact forms expose student data, allowing attackers to create rogue accounts and access educational platforms.

Professional Training

Form builder plugin flaws enable attackers to compromise training portals, manipulating enrollment systems and accessing participant information through administrator privilege escalation.

Sources

Critical Everest Forms Pro flaw exploited to take over WordPress siteshttps://www.bleepingcomputer.com/news/security/critical-everest-forms-pro-flaw-exploited-to-take-over-wordpress-sites/
Verified

NVD - CVE-2026-3300https://nvd.nist.gov/vuln/detail/CVE-2026-3300

Verified

Attackers Actively Exploiting Critical Vulnerability in Everest Forms Pro Pluginhttps://www.wordfence.com/blog/2026/06/attackers-actively-exploiting-critical-vulnerability-in-everest-forms-pro-plugin/

Verified

Frequently Asked Questions

CVE-2026-3300 is a critical vulnerability in the Everest Forms Pro plugin for WordPress that allows unauthenticated remote code execution, enabling attackers to create rogue administrator accounts and take control of affected websites.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it would likely limit the attacker's ability to escalate privileges, move laterally, and exfiltrate data by enforcing strict segmentation and identity-based access controls.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: While the initial exploitation may still occur, the attacker's subsequent actions would likely be constrained, reducing the potential for further compromise.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's ability to escalate privileges would likely be constrained, reducing the potential for unauthorized administrative access.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's lateral movement would likely be constrained, reducing the potential to access other sensitive areas within the environment.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The attacker's ability to establish command and control channels would likely be constrained, reducing the potential for persistent access.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The attacker's ability to exfiltrate sensitive data would likely be constrained, reducing the potential for data loss.

Impact (Mitigations)

The attacker's ability to deface the website or disrupt its availability would likely be constrained, reducing the potential for service disruption.

Impact at a Glance

Affected Business Functions

Website Content Management
User Registration
E-commerce Transactions

Operational Disruption

Estimated downtime: 3 days

Financial Impact

Estimated loss: $5,000

Data Exposure

Potential exposure of user data, including personal information and payment details.

Recommended Actions

• Implement input validation and sanitization to prevent code injection vulnerabilities.
• Regularly update and patch plugins to address known vulnerabilities.
• Monitor for unauthorized administrator account creation and unusual activity.
• Restrict administrative privileges to necessary personnel only.
• Conduct regular security audits and penetration testing to identify and remediate vulnerabilities.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Critical Vulnerability in Everest Forms Pro Exploited to Hijack WordPress Sites

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

Related CVEs

CVE-2026-3300

Affected Products:

Exploit Status:

References:

MITRE ATT&CK® Techniques

Exploit Public-Facing Application

Command and Scripting Interpreter: PowerShell

Valid Accounts: Local Accounts

Abuse Elevation Control Mechanism: Bypass User Account Control

Indicator Removal: File Deletion

Phishing: Spearphishing Attachment

OS Credential Dumping: LSASS Memory

Remote Services: SMB/Windows Admin Shares

Potential Compliance Exposure

PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Asset Management

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Computer Software/Engineering

Marketing/Advertising/Sales

E-Learning

Professional Training

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads