Security · June 04, 2026 · 2 min read

Update Everest Forms Pro now, attackers are exploiting a critical bug

Attackers are exploiting a critical Everest Forms Pro bug that can let them take over unpatched WordPress sites.

Reading

WPWithin

If you run Everest Forms Pro, update it now. This is a patch-now issue, not something to leave for later.

Everest Forms Pro faces active takeover attempts

Wordfence says attackers started exploiting CVE-2026-3300 on April 13. The flaw lets anyone on the internet, with no login, run their own PHP code on your server. That means an attacker can take over the site. Wordfence says its firewall has already blocked more than 29,300 exploit attempts.

This issue affects Everest Forms Pro versions 1.9.12 and earlier. Wordfence estimates about 4,000 sites use the plugin. The vendor shipped the fix in version 1.9.13 on March 18, and Wordfence disclosed the bug publicly on March 30. Premium Wordfence customers got a firewall rule on February 27. Sites on the free version got that rule 30 days later, on March 29. The advisory does not name the free Everest Forms plugin.

Update Everest Forms Pro to 1.9.13 or later right now. Do not wait for your next maintenance window. If you cannot confirm the version today, log in to WordPress and check it now. If you use Wordfence, make sure its firewall is on, but do not treat that as a substitute for the plugin update.

End of article

Weekend Within · Free

If you found this useful, subscribe free.

The Weekend Within roundup ships every weekend. Six minutes. The WordPress news that matters, translated out of developer-speak. Unsubscribe any time.

↓ Read next

Critical FunnelKit flaw lets attackers steal WooCommerce payment data

Security · 3 min