A critical vulnerability (CVE-2026-3300) in the Everest Forms Pro WordPress plugin allows unauthenticated attackers to execute arbitrary PHP code, potentially compromising entire websites. This flaw is linked to an input validation error within the plugin’s calculation feature, enabling attackers to inject malicious code via improperly handled single quotes.
An alarming surge in exploit attempts has been observed since April 2026, with automated attacks creating rogue admin accounts on targeted sites, such as ‘diksimarina’. Website administrators are urged to update to Everest Forms Pro version 1.9.13 or higher and audit user profiles for unauthorized accounts to mitigate this risk.