Hackers Actively Exploiting WordPress Plugin Vulnerability to Inject Malicious PHP Code

**Executive Summary:** A critical unauthenticated RCE in Everest Forms Pro (CVE-2026-3300, CVSS 9.8) is being actively exploited in the wild to inject PHP via the plugin's Complex Calculation feature—threat actors create rogue admin accounts and deploy webshells; operators should immediately upgrade to 1.9.13, audit accounts, and block known malicious IPs.