Everest Forms Pro RCE exploitation and patch response

Attackers are actively exploiting **CVE-2026-3300** in **Everest Forms Pro** to achieve unauthenticated remote code execution on vulnerable **WordPress** sites. The flaw affects versions through **1.9.12**, carries a **9.8 CVSS** rating, and can lead to full site takeover. Available evidence says exploitation began on **April 13, 2026**, after **WPEverest** had already released **1.9.13** on **March 18, 2026**. The vulnerable path sits in the plugin's **Complex Calculation** feature, where user-controlled form input is concatenated into a PHP string that reaches eval(). Because the input handling does not escape single quotes and related PHP code context characters, a crafted value in a string-type field can inject arbitrary PHP. Observed payloads have attempted to create a rogue administrator account named **diksimarina**, and successful exploitation can also support web shells and persistent footholds. Telemetry has recorded more than **29,300 blocked exploit attempts**, showing sustained abuse rather than isolated scanning. Defenders need to upgrade to **1.9.13** or later, review administrator accounts and logs for suspicious changes, and investigate whether exposed sites were compromised before patching. Available evidence does not identify the threat actor or confirm how many sites were actually compromised.