Everest Forms Pro Flaw Exploited in the Wild to Hijack WordPress Sites

A critical RCE vulnerability in the Everest Forms Pro WordPress plugin (CVE-2026-3300, CVSS 9.8) allows unauthenticated attackers to inject PHP via improperly sanitized form calculations in `process_filter()` (which uses eval), and threat telemetry shows large-scale automated exploitation beginning April 13, 2026 — including attempts to create a rogue admin account `diksimarina`. Administrators should immediately update to Everest Forms Pro v1.9.13 or later and audit user accounts for unauthorized handles.