Threat Actors Exploit Critical Vulnerability in Everest Forms Pro Plugin
AI-generated from multiple sources. Verify before acting on this reporting.
LONDON, June 5 (AP) — Cybersecurity researchers have identified active exploitation of a critical remote code execution vulnerability in the Everest Forms Pro WordPress plugin, allowing threat actors to compromise websites globally.
The vulnerability, designated CVE-2026-3300, enables attackers to execute arbitrary PHP code on affected servers. Security experts warn that the flaw is being actively weaponized to create unauthorized administrator accounts, deploy web shells, and establish persistent access to compromised systems.
The Everest Forms Pro plugin is widely used across the WordPress ecosystem for creating contact forms, surveys, and registration pages. The vulnerability affects versions prior to the latest security patch released by the plugin's developers. Administrators of sites running unpatched versions are at immediate risk of full server compromise.
Attackers are leveraging the flaw to inject malicious scripts that bypass standard authentication mechanisms. Once inside, threat actors can modify site content, steal sensitive user data, or use the compromised servers as launchpads for further attacks against other networks. The ability to create rogue administrator accounts allows attackers to maintain control even if initial access points are closed.
WordPress administrators are urged to update the plugin immediately to the latest version, which includes a fix for CVE-2026-3300. Site owners should also scan their servers for signs of compromise, including unauthorized files, new user accounts, or unexpected outbound network connections. Security teams recommend isolating affected systems until a thorough investigation can be conducted.
The exploitation campaign appears to be coordinated, with multiple indicators pointing to organized threat groups targeting high-traffic websites. The timing of the attacks suggests attackers are capitalizing on the window between vulnerability disclosure and widespread patching.
Security vendors have issued alerts advising organizations to monitor for suspicious activity related to the Everest Forms Pro plugin. Network traffic analysis shows increased attempts to exploit the vulnerability across various geographic regions, indicating a broad attack surface.
Questions remain regarding the full scope of the compromise and whether any data has been exfiltrated from affected systems. Researchers continue to monitor the situation for new indicators of compromise and additional vulnerabilities that may be exploited in tandem with CVE-2026-3300.
The incident highlights the ongoing risks posed by unpatched software in widely used content management systems. As WordPress remains one of the most popular platforms for building websites, vulnerabilities in its ecosystem plugins continue to present significant security challenges for organizations worldwide.