Every now and then the same panicked message lands in my inbox: "Bruno, my WordPress site is acting weird — there's an admin user that isn't me". The root cause is almost always the same: an outdated plugin. This week's case has a name — and a lesson that applies to anyone running a site.
What happened with the Everest Forms plugin?
Everest Forms Pro, a forms plugin with hundreds of thousands of installs, got a critical flaw: CVE-2026-3300, scored 9.8 out of 10. It lets any visitor, with no login, run PHP code on the server — which basically hands over the site.
The fix shipped in March (version 1.9.13; everything up to 1.9.12 is affected). Even so, attacks started on April 13 and exploded: Wordfence logged over 29,000 blocked attempts, peaking at ~17,900 in a single day (May 16). The attack's signature: create a rogue administrator (nicknamed diksimarina) and take over the dashboard.
Why is eval() on user input so dangerous?
The plugin's calculation add-on takes what someone types in a form field, builds a PHP string, and runs it with eval(). WordPress's sanitize_text_field() does "clean" the text — but it doesn't escape quotes. So the attacker closes the string and injects their own code.
// WRONG — user data becoming code
$expr = sanitize_text_field($_POST['field']); // doesn't escape quotes
eval('$total = ' . $expr . ';');
// malicious input: 1; system($_GET['c']); //
// becomes: $total = 1; system($_GET['c']); //';The result: a harmless form field becomes a terminal open to the entire internet.
Why does this type of flaw still happen in 2026?
eval() is PHP's original sin: powerful, convenient — and that's exactly why it still ships in code running on thousands of sites. The rule is old and simple, and I repeat it to every client: user data never becomes code. Not via eval(), not via system(), not concatenated into SQL.
How I'd do it (and how it should be)
To add two numbers you don't need a code interpreter. You validate the input and compute with plain operations:
// RIGHT — validate and compute, no user code executed
$n = filter_var($_POST['field'], FILTER_VALIDATE_FLOAT);
$total = ($n !== false) ? $n * 2 : 0;Less "clever", infinitely safer. Same logic for the database: prepared statements (PDO), never concatenation. That's how I write PHP — and the kind of review I run when I take over a system.
Harden your WordPress in 5 minutes
- Update every plugin and turn on auto-updates. If you use Everest Forms, jump to 1.9.13+ now.
- Remove plugins and themes you don't use — each one is another door.
- Check your admins (Users > All Users): is there one you didn't create? Delete it and rotate every password.
- Run a WAF (Wordfence and the like) — it blocks most of these attempts automatically.
- Keep automatic backups off-server, so you can restore fast if the worst happens.
I want a security audit of my site
Found a strange admin, or want to review your site's security before it becomes a problem? That's exactly the kind of thing I fix — let's talk.
Sources
The Hacker News · Infosecurity Magazine · SentinelOne (CVE-2026-3300)