Essential Everest Paperwork Professional flaw exploited to take over WordPress websites

Hackers are actively exploiting a essential vulnerability (CVE-2026-3300) within the Everest Paperwork Professional plugin, which allows them to take entire keep an eye on of a WordPress website online.

The protection factor impacts variations 1.9.12 and previous of the plugin and will also be leveraged with out authentication to execute arbitrary code at the server.

Everest Paperwork Professional is a industrial add-on for the WordPress shape builder plugin Everest Paperwork. It’s used to create touch, registration, cost, and different customized software bureaucracy.

The CVE-2026-3300 vulnerability is within the plugin’s Advanced Calculation function, which accepts values submitted via shape fields and inserts them right into a PHP code string. Then, it executes the ensuing code the usage of PHP’s ‘eval ()’ serve as.

Even though person enter is handed via a ‘sanitize_text_field()’ serve as, which doesn’t break out unmarried quotes (‘) or different characters that affect PHP syntax.

Consequently, an attacker can shut the meant string, inject arbitrary PHP code, and remark out the remainder generated code to reach code execution at the server.

Telemetry knowledge from Wordfence firewall and malware scanner for WordPress presentations that the vulnerability is being exploited within the wild to create rogue administrator accounts.

“The attacker submits a price for a textual content box that starts with a unmarried quote to near the wrapping string literal, adopted via a PHP observation that calls wp_insert_user() to create a brand new administrator account with the username ‘diksimarina’,” explains a document from Wordfence.

“The trailing // remark marker guarantees the remainder of the generated PHP code, together with the remaining quote, is handled as a remark and does now not purpose a syntax error.”

“When the shape is processed, and the calculation is evaluated, the injected PHP code is finished, and the malicious administrator account is created.”

Administrator-level get right of entry to provides attackers complete energy to accomplish high-risk movements at the breached website online, together with editing content material, putting in plugins and issues, planting backdoors and webshells, and having access to personal databases.

Researcher h0xilo submitted the CVE-2026-3300 vulnerability via Wordfence in February, and on March 18, the Everest Paperwork developer launched a patch that addresses the problem.

In step with Wordfence knowledge, energetic exploitation began on April 13, with the firewall blockading over 29,300 makes an attempt.

Wordfence says exploitation makes an attempt originate basically from two IP addresses, 202.56.2[.]126 and 209.146.60.26, and recommends defenders block them.

On the other hand, Wordfence’s document supplies a number of offending IP addresses as signs of compromise (IOCs).

Web site directors also are really helpful to study log recordsdata and administrator accounts for any suspicious job, particularly containing the string “diksimarina.”