Actively Exploited: CVE-2026-3300 Gives Attackers Full Control of WordPress Sites Running Everest Forms Pro

Active Exploitation Underway

Threat actors are actively exploiting CVE-2026-3300, a critical remote code execution vulnerability in Everest Forms Pro, a premium WordPress form-builder plugin. The flaw carries a CVSS score of 9.8 — the near-maximum severity — and exploitation in the wild has already been confirmed.

The vulnerability is a Remote Code Execution (RCE) flaw that allows unauthenticated attackers to execute arbitrary code on the server. That means no login, no privilege escalation needed: a single crafted request can hand an attacker complete control of the underlying host, not just the WordPress installation.

Why This Is Critical Right Now

Everest Forms Pro has approximately 4,000 active installations. That's a small footprint by plugin standards, but RCE vulnerabilities with a public exploit and no authentication barrier get weaponized fast — automated scanners typically sweep the entire WordPress ecosystem within hours of a PoC becoming available.

Full site compromise means attackers can:

• Plant backdoors that survive plugin updates or password resets
• Exfiltrate database contents, including user PII, credentials, and payment data
• Pivot to the underlying server if PHP runs with overly broad permissions
• Inject malicious JavaScript into every page served to your visitors
• Enlist the host in botnets or spam campaigns, triggering domain and IP blacklisting

Given that WordPress sites often run on shared hosting or VPS environments where one compromised app can reach others, the blast radius extends well beyond the site itself.

What To Do — In Order

1. Patch immediately. Check your Everest Forms Pro version in the WordPress admin under Plugins. Apply the latest update from the vendor. If a patched version is not yet available from your plugin source, deactivate and delete the plugin until one is released. A non-functional form is recoverable; a backdoored server is not.

2. Scan for indicators of compromise. If the plugin has been active on an internet-facing site, assume potential compromise. Check for:

• Unfamiliar admin accounts in Users → All Users
• Recently modified PHP files (find /var/www -name "*.php" -newer /var/www/index.php)
• Unexpected cron jobs (crontab -l and /etc/cron*)
• Outbound connections to unknown IPs in your server logs

3. Audit your WAF rules. If you're behind Cloudflare, Wordfence, or another WAF, verify that RCE/file-upload blocking rules are enabled and current. These won't substitute for patching but can reduce exposure during the window before a patch is applied.

4. Review file upload directories. RCE via form plugins commonly exploits file upload handling. Check wp-content/uploads for any .php, .phtml, or .phar files — none should exist there.

5. Rotate credentials. If you cannot rule out prior exploitation, rotate your WordPress admin password, database password, and any API keys stored in wp-config.php or plugin settings tables.

Monitor The Hacker News and the WordPress plugin changelog for vendor guidance as this situation develops.