A recent vulnerability, tracked as CVE-2026-3300, has been identified in the Everest Forms Pro plugin for WordPress, allowing attackers to gain admin access by injecting PHP code via form fields. Discovered by researcher h0xilo and disclosed through Wordfence, the issue arises from a flawed `process_filter()` function that concatenates user inputs into executable PHP code. Since public disclosure, over 29,300 exploit attempts have been blocked, with a spike in activity recorded on May 16, 2026.
Users are urged to update to version 1.9.13, released on March 18, and audit for any unauthorized admin accounts created during the exploit period. The flaw highlights the importance of timely updates and vigilant monitoring for WordPress security.