Active exploitation of Everest Forms Pro RCE enables WordPress site takeover
A critical remote code execution flaw in the Everest Forms Pro WordPress plugin is under active exploitation, allowing attackers to achieve complete administrative control of affected websites.
CVE References
Affected
The Everest Forms Pro plugin contains a critical vulnerability enabling unauthenticated remote code execution, currently being exploited in the wild to compromise WordPress installations. The CVE-2026-3300 flaw grants attackers the ability to execute arbitrary code on the server, translating directly to full website takeover, credential theft, and use as a staging point for further attacks across hosted infrastructure.
WordPress plugins remain a persistent attack surface due to their privileged execution context within the application. Everest Forms Pro is likely a high-value target because form plugins are widely deployed across WordPress sites, especially those handling customer data or serving as site administration points. The active exploitation signals that attackers have either developed reliable proof-of-concept code or are leveraging public disclosures. The fact that takeover is achievable suggests the vulnerability likely involves unauthenticated REST API endpoints, insecure file upload handling, or SQL injection in form processing logic.
Website owners using Everest Forms Pro should immediately check for updates and apply patches without delay. Site administrators should audit access logs for signs of suspicious POST requests to plugin endpoints and review user accounts for unauthorised administrative additions. Consider temporarily disabling the plugin if updates are unavailable and migrating forms to alternative solutions.
This incident exemplifies the tension in WordPress security: plugins extend functionality but operate with the same privileges as the core application. Plugin authors vary dramatically in security maturity and patch velocity. Organisations relying on WordPress should implement strict plugin approval processes, use Web Application Firewall rules to restrict suspicious form submissions, and maintain regular backups outside the web root. The shift toward supply-chain attacks targeting widely-used plugins continues to be one of the most efficient paths to mass compromise.
Sources