Critical Everest Forms Pro flaw exploited to take over WordPress sites
Summary
Hackers are actively exploiting a critical vulnerability in the Everest Forms Pro WordPress plugin, allowing them to gain complete control of affected websites. The vulnerability, identified as CVE-2026-3300, enables attackers to bypass access controls and execute arbitrary code, leading to website takeovers.
IFF Assessment
This vulnerability allows attackers to gain complete control of websites, posing a direct threat to defenders.
Severity
The vulnerability allows for complete administrative control of a WordPress site, including arbitrary code execution, indicating a high impact. The ease of exploitation, likely via a network attack vector without authentication, further contributes to the high score.
Defender Context
Defenders should prioritize patching or disabling the Everest Forms Pro plugin immediately to mitigate the risk of website compromise. This incident highlights the ongoing threat posed by unpatched vulnerabilities in popular WordPress plugins and the need for robust vulnerability management and timely updates.