Vulnerability and Exploitation Details
A critical security flaw in the Everest Forms Pro WordPress plugin is under active exploitation by threat actors, enabling complete site takeover. The vulnerability, a remote code execution bug with a severity score of 9.8, affects all plugin versions up to and including 1.9.12. The issue stems from the Calculation Addon’s process_filter() function, which concatenates user submitted form field values into a PHP code string without proper escaping before passing it to the eval() function. While the sanitize_text_field() function is applied to input, it does not escape single quotes or other PHP code context characters. This allows unauthenticated attackers to inject and execute arbitrary PHP code on the server by submitting crafted values in string type form fields such as text, email, or URL fields when a form uses the Complex Calculation feature.
Impact and Ongoing Attacks
The flaw, patched in version 1.9.13 released on March 18, 2026, permits attackers to create rogue administrator accounts, deploy web shells, and establish persistent footholds on compromised servers. Security researchers have observed exploitation attempts starting April 13, 2026, with more than 29,300 exploit attempts blocked to date, including 16 in the past 24 hours. The most common payload involves creating an administrator account named “diksimarina” on the targeted site. Attack activity has been traced to several IP addresses including 202.56.2.126 and 209.146.60.26. Organizations using Everest Forms Pro are strongly urged to update to version 1.9.13 or later immediately to prevent compromise.
Source: The Hacker News
