What's Happening?
A critical vulnerability in the Everest Forms Pro plugin for WordPress has been identified, allowing unauthenticated attackers to execute remote code and potentially take over affected websites. The flaw, tracked as CVE-2026-3300, has a severity score
of 9.8 on the CVSS scale and affects all versions up to 1.9.12. The vulnerability was discovered by a researcher known as h0xilo and reported to Wordfence's bug bounty program. The issue arises from the plugin's Calculation add-on, which improperly sanitizes input, allowing attackers to inject PHP code. Wordfence has reported over 29,300 blocked exploit attempts, with a significant surge on May 16, 2026. WPEverest, the plugin's developer, has released a patch in version 1.9.13, urging users to update immediately to protect their sites.
Why It's Important?
This vulnerability poses a significant risk to WordPress site administrators and users, as it allows attackers to gain unauthorized access and control over websites. The potential for creating rogue administrator accounts and planting malicious code could lead to data breaches, defacement, and further exploitation of compromised sites. With WordPress powering a substantial portion of the internet, the impact of such vulnerabilities can be widespread, affecting businesses, personal blogs, and e-commerce platforms. The incident underscores the importance of timely updates and robust security practices in managing web applications.
What's Next?
Site administrators using Everest Forms Pro are advised to update to the latest version immediately to mitigate the risk of exploitation. Security firms and WordPress developers will likely continue monitoring for similar vulnerabilities and work on enhancing security measures. Users are encouraged to regularly check for updates and apply security patches promptly. The incident may also prompt discussions on improving the security of WordPress plugins and the need for more rigorous testing and validation processes before release.
