Active RCE in Everest Forms Pro (CVE-2026-3300) - Patch Immediately
Heads up, everyone. There is active exploitation in the wild targeting the Everest Forms Pro plugin. We’re looking at CVE-2026-3300 here, which packs a CVSS score of 9.8. This is a Remote Code Execution (RCE) vulnerability affecting all versions up to and including 1.9.12.
With only about 4,000 active installations, it might seem niche, but for those managing MSPs or multiple WordPress instances, this is a critical failure point. The flaw allows attackers to execute arbitrary code, leading to full site compromise—likely via webshell deployment.
If you are currently auditing your environments, here is a quick WP-CLI command to identify vulnerable versions:
wp plugin list --name=everest-forms-pro --allow-root
You can also grep your web server logs for suspicious activity targeting the plugin's AJAX endpoints:
grep "everest-forms" /var/log/nginx/access.log | grep "POST"
If you can't patch immediately, I suggest disabling the plugin at the filesystem level rather than just via the WP admin dashboard to ensure no hooks remain active.
How is everyone handling the notification process for this one? Are you relying on Wordfence equivalents, or do you have custom scanning scripts for plugin vulnerabilities?
We flagged this early this morning. The exploit chain is pretty standard for these types of plugin bugs—bypassing file upload restrictions.
If you are using a SIEM, keep an eye out for User-Agent anomalies paired with requests to wp-content/uploads. I'm using this simple snippet to sanitize uploads in our staging environments until we're fully patched:
add_filter('wp_handle_upload', function($upload) {
// logic to check MIME types strictly
return $upload;
});
But honestly, if you aren't using the forms right now, just nuke the plugin.
Thanks for the heads-up. Just audited our client list and found two instances still on 1.9.10.
For those who can't easily patch, I recommend restricting access to wp-admin and wp-admin/admin-ajax.php via IP whitelisting in Nginx/Apache. It breaks some functionality, but it stops the RCE.
location /wp-admin/admin-ajax.php {
allow 192.168.1.0/24;
deny all;
}
Has anyone captured a sample of the malware being dropped yet? Curious if it's standard StealC or something new.
Solid advice on the mitigation side. For those needing to triage bulk assets, verifying the installed version via shell is often faster than logging into each dashboard. You can grep the readme file to confirm if you're in the danger zone.
find /var/www/html -name "readme.txt" -path "*/everest-forms-pro/*" -exec grep -H "Version: 1.9" {} \;
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access