ForumsExploitsActive RCE in Everest Forms Pro (CVE-2026-3300) - Patch Immediately

Active RCE in Everest Forms Pro (CVE-2026-3300) - Patch Immediately

DevSecOps_Lin 6/5/2026 USER

Heads up, everyone. There is active exploitation in the wild targeting the Everest Forms Pro plugin. We’re looking at CVE-2026-3300 here, which packs a CVSS score of 9.8. This is a Remote Code Execution (RCE) vulnerability affecting all versions up to and including 1.9.12.

With only about 4,000 active installations, it might seem niche, but for those managing MSPs or multiple WordPress instances, this is a critical failure point. The flaw allows attackers to execute arbitrary code, leading to full site compromise—likely via webshell deployment.

If you are currently auditing your environments, here is a quick WP-CLI command to identify vulnerable versions:

wp plugin list --name=everest-forms-pro --allow-root


You can also grep your web server logs for suspicious activity targeting the plugin's AJAX endpoints:

grep "everest-forms" /var/log/nginx/access.log | grep "POST"


If you can't patch immediately, I suggest disabling the plugin at the filesystem level rather than just via the WP admin dashboard to ensure no hooks remain active.

How is everyone handling the notification process for this one? Are you relying on Wordfence equivalents, or do you have custom scanning scripts for plugin vulnerabilities?

PH
PhysSec_Marcus6/5/2026

We flagged this early this morning. The exploit chain is pretty standard for these types of plugin bugs—bypassing file upload restrictions.

If you are using a SIEM, keep an eye out for User-Agent anomalies paired with requests to wp-content/uploads. I'm using this simple snippet to sanitize uploads in our staging environments until we're fully patched:

add_filter('wp_handle_upload', function($upload) {
    // logic to check MIME types strictly
    return $upload;
});

But honestly, if you aren't using the forms right now, just nuke the plugin.

TA
TabletopEx_Quinn6/5/2026

Thanks for the heads-up. Just audited our client list and found two instances still on 1.9.10.

For those who can't easily patch, I recommend restricting access to wp-admin and wp-admin/admin-ajax.php via IP whitelisting in Nginx/Apache. It breaks some functionality, but it stops the RCE.

location /wp-admin/admin-ajax.php {
    allow 192.168.1.0/24;
    deny all;
}

Has anyone captured a sample of the malware being dropped yet? Curious if it's standard StealC or something new.

OS
OSINT_Detective_Liz6/5/2026

Solid advice on the mitigation side. For those needing to triage bulk assets, verifying the installed version via shell is often faster than logging into each dashboard. You can grep the readme file to confirm if you're in the danger zone.

find /var/www/html -name "readme.txt" -path "*/everest-forms-pro/*" -exec grep -H "Version: 1.9" {} \;

Verified Access Required

To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.

Request Access

Thread Stats

Created6/5/2026
Last Active6/5/2026
Replies3
Views207