A critical vulnerability (CVE-2026-3300) in the Everest Forms Pro WordPress plugin has been actively exploited, allowing remote attackers to inject PHP code on more than 100,000 sites due to improper input handling. This security flaw permits unauthorized users to execute arbitrary PHP code by submitting malicious input in form fields.
The vulnerability, with a high CVSS score of 9.8, was addressed in version 1.9.13 released in March, while exploitation began in April, resulting in over 29,000 blocked attack attempts. Users are urged to update to the latest version and check for unauthorized admin accounts.