- Critical RCE flaw in Everest Forms Pro (CVE‑2026‑3300) actively exploited
- Attackers create rogue admin account “diksimarina” via PHP injection
- Nearly 30,000 takeover attempts blocked; admins urged to patch and block key IPs
Security researchers are warning of an ongoing hacking campaign targeting certain WordPress websites using a popular plugin tool.
Wordfence has claimed Everest Forms Pro, a popular WordPress plugin, was allegedly being used to create contract, registration, payment, and other application forms, carried a critical-severity vulnerability that allowed malicious actors to take over the sites entirely.
The bug was described as a Remote Code Execution (RCE) flaw via PHP code injection. It is tracked as CVE-2026-3300 and was given the severity rating of 9.8/10 (critical). It affects all versions of the plugin up to, and including, 1.9.12.
Patched months ago
Wordfence is now warning that the flaw is being actively abused in the wild to create malicious admin accounts on vulnerable websites:
“The attacker submits a value for a text field that begins with a single quote to close the wrapping string literal, followed by a PHP statement that calls wp_insert_user() to create a new administrator account with the username ‘diksimarina’,” Wordfence warned in its report.
“The trailing // comment marker ensures the rest of the generated PHP code, including the closing quote, is treated as a comment and does not cause a syntax error.” “When the form is processed, and the calculation is evaluated, the injected PHP code is executed, and the malicious administrator account is created.”
By creating an admin account, malicious actors can do almost anything with the website, including exfiltrating stored files, redirecting visitors, or even serving malware.
The bug was first disclosed in February this year, and by mid-March, the Everest Forms developer released a fix. Wordfence says that exploitation attempts started roughly a month later, in mid-April. So far, it thwarted almost 30,000 attempts, most of which came from two IP addresses.
Admins worried about being potential targets should block the two IP addresses 202.56.2[.]126 and 209.146.60.26, and should review log files for the string “diksimarina.”
Via BleepingComputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
https://cdn.mos.cms.futurecdn.net/PxxKy74xA4GapoubYuoRtK-2560-80.jpg
Source link
