WordPress and Magento Plugin RCE Keeps Coming: Everest Forms Exploited, Mirasvit Added to KEV
Two more plugin RCEs are under active exploitation: Everest Forms Pro CVE-2026-3300 (CVSS 9.8), a PHP-injection flaw Wordfence has blocked tens of thousands of times, and Magento's Mirasvit Cache Warmer CVE-2026-45247 (CVSS 9.8), now added to CISA's KEV catalog.
Key Takeaways
|
The web-application plugin RCE cluster The CyberSignal has tracked through Kirki and WP Maps Pro gained two more entries this cycle — and they now span both of the dominant content and commerce ecosystems, at a cadence that turns plugin inventory into a security metric.
WASHINGTON, D.C. — Two more web-platform plugins are under active exploitation, extending a pattern The CyberSignal has documented across the WordPress and Magento ecosystems. Everest Forms Pro, a WordPress plugin, has a critical remote-code-execution flaw tracked as CVE-2026-3300 (CVSS 9.8) that lets unauthenticated attackers inject and execute arbitrary PHP code; per reporting from Cybersecurity News and Wordfence threat-intelligence data, the flaw has drawn tens of thousands of exploitation attempts. Separately, CISA added CVE-2026-45247 (CVSS 9.8) — a deserialization-of-untrusted-data RCE in Mirasvit Full Page Cache Warmer, a popular Magento full-page-cache extension — to its Known Exploited Vulnerabilities (KEV) catalog after confirmed exploitation in the wild, per The Hacker News and SecurityWeek.
The operational implication is unchanged from prior briefs but escalating in urgency: actively-exploited plugin and extension RCE is now arriving at a sub-weekly cadence and spanning both the dominant CMS and the dominant open-source commerce platform. Third-party cache and forms extensions have become a primary path to code execution on the servers that run the web.
| Two Plugin RCEs at a Glance | |
|---|---|
| Field | Details |
| Everest Forms Pro | CVE-2026-3300 (CVSS 9.8) — unauthenticated RCE via arbitrary PHP injection in the Complex Calculation feature |
| Everest Forms Versions | Affects versions up to and including 1.9.12; fixed in 1.9.13 (vendor patch released March 18, 2026) |
| Everest Forms Timeline | Publicly disclosed March 30, 2026; active exploitation observed from April 13, 2026 |
| Everest Forms Telemetry | Wordfence reports 29,300+ blocked exploitation attempts, including a spike of 17,900+ on May 16 |
| Mirasvit Cache Warmer | CVE-2026-45247 (CVSS 9.8) — unauthenticated RCE via deserialization of untrusted data in a CacheWarmer cookie |
| Mirasvit Versions | Affects all versions prior to 1.11.12; patched May 25, 2026 |
| Mirasvit Status | Added to CISA's Known Exploited Vulnerabilities catalog after confirmed in-the-wild exploitation |
| Mirasvit Indicator | A CacheWarmer cookie value matching CacheWarmer:(Tz|Qz|YT) is a strong indicator of an exploitation attempt |
What Happened
CVE-2026-3300 is a remote-code-execution flaw in Everest Forms Pro, a widely used WordPress form-builder plugin. Per the reporting, the vulnerability lives in the plugin's 'Complex Calculation' feature: the addon concatenates user-submitted values into PHP code and passes them to PHP's eval() function without proper escaping, allowing an unauthenticated attacker to inject and execute arbitrary PHP when a form uses that feature. The flaw affects all versions up to and including 1.9.12 and carries a CVSS score of 9.8. The vendor released a fix in version 1.9.13 on March 18, 2026, and the issue was publicly disclosed on March 30; despite the available patch, threat actors began actively targeting unpatched installations on April 13. Wordfence threat-intelligence data cited in reporting shows more than 29,300 blocked exploitation attempts, including a single-day spike of over 17,900 on May 16, indicating automated, internet-scale targeting.
CVE-2026-45247 is a separate but parallel problem in the Magento ecosystem. Mirasvit Full Page Cache Warmer, a popular cache extension for Adobe Commerce and Magento, contains a deserialization-of-untrusted-data vulnerability: per analysis from Sansec and Imperva, the plugin passes part of a client-supplied CacheWarmer cookie value directly to PHP's native unserialize() function with no class restrictions and no authentication checks. Because the cookie is entirely client-side, an attacker can craft it to inject arbitrary PHP objects and achieve remote code execution through commonly abused gadget chains. The flaw carries a CVSS score of 9.8, affects all versions prior to 1.11.12 (patched May 25, 2026), and CISA added it to the KEV catalog after confirmed active exploitation. Imperva reports observing base64-encoded serialized payloads delivered via malicious HTTP requests; a CacheWarmer cookie matching the pattern CacheWarmer:(Tz|Qz|YT) is a strong indicator of an exploitation attempt.
Two Classic Code-Execution Bugs in Two Different Ecosystems
The two flaws are textbook examples of distinct but equally dangerous RCE classes. Everest Forms Pro is an eval() injection: user input flows into a PHP code-evaluation function without sanitization, so attacker-supplied text becomes attacker-supplied code. Mirasvit is a PHP object-injection bug: untrusted input reaches unserialize(), letting an attacker instantiate arbitrary objects and chain existing code 'gadgets' into command execution. Both are well-understood patterns that secure-coding guidance has warned against for years, and both keep appearing in third-party extensions because extension authors operate outside the security review the core platforms receive. The CyberSignal has tracked the same dynamic across the Kirki WordPress flaw CVE-2026-8206 and the WP Maps Pro flaw CVE-2026-8732, exploited to mint admin accounts on 15,000 sites.
The Patch-Gap Problem Is Worst in the Extension Layer
Both incidents show the characteristic plugin patch gap: a fix exists, but exploitation outpaces adoption. Everest Forms Pro had a patch available from March 18, yet mass exploitation began April 13 and a single-day attack spike landed on May 16 — weeks after a fix shipped. The reason is structural. Extension updates are not always automatic, vendors rarely have a broadcast channel into every customer's dashboard, and the people running these sites are frequently marketing teams or agencies rather than security staff. That asymmetry is exactly what The CyberSignal described in its coverage of the Ghost CMS flaw CVE-2026-26980 that hijacked 700 sites in a ClickFix campaign and the LiteSpeed cPanel plugin flaw that let any account run code as root. The flaw is found, the patch is released, and a long tail of unpatched installations becomes the exploited population.
Why the Cadence Itself Is the News
Any one of these flaws would be a routine critical-RCE brief. The point of clustering them is the cadence: actively-exploited plugin and extension RCE is now arriving on a roughly sub-weekly basis and spanning both WordPress and Magento — the two platforms that, between them, power an enormous share of the world's commercial web presence. That frequency changes what the right response is. It is no longer sufficient to patch each flaw as it makes the news; the volume justifies treating plugin and extension management as a continuous program with a hard service-level objective, the same way the Verizon DBIR 2026 reframed vulnerability exploitation as the top initial-access vector. The extension layer is where the 2026 web platform breaks, and the cadence is the signal that it needs program-level attention.
Scope and Impact
The exposed populations differ in shape but share a profile. Everest Forms Pro is a popular WordPress form-builder, and the precondition for CVE-2026-3300 is that a form uses the Complex Calculation feature — but the unauthenticated nature of the flaw means any such site is reachable by automated scanning, which the 29,300-plus blocked attempts confirm is already happening at scale. Mirasvit Cache Warmer is a commercial performance extension for Adobe Commerce and Magento storefronts, and the unauthenticated, client-side-cookie nature of CVE-2026-45247 means any storefront running a vulnerable version is exposed to a crafted request. Both classes of site — small-to-mid-sized WordPress properties and Magento stores — tend to be operated outside central IT, which widens the patch gap.
The structural risk is the consequence of code execution on a web server. An attacker with arbitrary PHP execution can install web shells, create administrator accounts, inject SEO spam or affiliate redirects, host phishing pages on a legitimate domain, drop payment-card skimmers on checkout flows — a particular concern for the e-commerce storefronts exposed by the Mirasvit flaw — or hand the host to a botnet. The reporting on Everest Forms specifically advises auditing for unauthorized administrator accounts as a post-exploitation indicator, which reflects that creating a rogue admin is a common thing attackers do once they have code execution, even though the flaw itself is a PHP-injection RCE rather than a dedicated account-creation bug.
Several specifics should be confirmed against the primary advisories before being treated as settled: the precise affected and fixed version boundaries for both extensions, the KEV remediation due date CISA assigned to CVE-2026-45247, and the current real-world compromise counts as distinct from attack-attempt counts. The Wordfence telemetry for Everest Forms is a floor on activity, not a ceiling — it counts blocks at protected sites, a subset of the affected population — and the true attack rate across the broader internet is almost certainly higher.
Response and Attribution
For WordPress operators running Everest Forms Pro, update to the fixed 1.9.13 release immediately, or deactivate the plugin if an update cannot be applied right now — particularly on any site whose forms use the Complex Calculation feature. Then audit the WordPress users table for unexpected administrator accounts created in the last 30 to 60 days and review server logs for suspicious requests to the form-processing endpoints, since patch latency is the whole exposure here and exploitation has been running since April. Treat any site that ran a vulnerable version through that window as potentially compromised until the logs and user table clear it.
For Magento and Adobe Commerce operators, patch Mirasvit Cache Warmer to version 1.11.12 or later per the vendor advisory, and treat the CISA KEV due date as a hard deadline if you are a federal or regulated entity. Hunt for the documented indicator — a CacheWarmer cookie value matching CacheWarmer:(Tz|Qz|YT) — and review storefronts running the extension for web shells, unexpected administrator users, and anomalous PHP execution. Because the Mirasvit flaw sits on a payment-handling platform, prioritize checkout-flow integrity checks for skimmer code as part of the post-patch review.
For all web-platform owners, the durable action is programmatic rather than per-incident: maintain a live plugin and extension inventory with a patch service-level objective, and fold the extension layer into the vulnerability-management program that already covers the rest of the estate — including the marketing-team-managed microsites and storefronts that typically sit outside it. On attribution, there is none to give for either flaw: no threat actor has been named in connection with the observed exploitation, and the activity has the automated, mass-scanning signature of opportunistic exploitation rather than a targeted campaign. Any claim tying these to a specific group would be speculation rather than a finding.
The CyberSignal Analysis
Signal 01 — The Cadence Is the Argument
A single plugin RCE is a patch ticket; a sub-weekly stream of them across two ecosystems is a program problem. The reason to cluster Everest Forms and Mirasvit with Kirki and WP Maps Pro is that the frequency, not any individual flaw, is what should change defender behavior. When actively-exploited extension RCE arrives this often, reacting to each headline is a losing posture. The rational response is to treat plugin and extension management as a continuous, measured program with a hard patch SLO — the same seriousness organizations already apply to operating-system and core-application patching.
Signal 02 — The Patch Gap Lives in the Extension Layer
Both flaws had fixes available before mass exploitation, and both were exploited anyway because a long tail of installations never updated. That gap is structural: extension updates are often manual, vendors lack a push channel, and the operators are frequently non-security staff. The implication is that the security of a web estate is gated less by how fast vendors patch and more by how fast operators apply those patches — which is why automated update enforcement, inventory, and ownership of the extension layer matter more than tracking individual CVEs. Closing the gap is an operational discipline, not a vendor responsibility.
Signal 03 — Marketing-Managed Web Is the Soft Underbelly
The recurring through-line of the 2026 plugin cluster is that the highest-value, lowest-defended assets in many organizations are the content sites and storefronts run by marketing and commerce teams, not the production applications run by engineering. Those properties carry the brand, handle customer interactions and, in the Magento case, process payments — yet they routinely sit outside the asset inventory, vulnerability scanning and patch-management programs that cover the core stack. CVE-2026-3300 and CVE-2026-45247 are the type cases: niche extensions installed for a single business need become the path to code execution on a brand-controlled, sometimes payment-handling, host. The structural fix is to bring those sites into the same security program as everything else.
