Critical Everest Forms Pro flaw exploited to take over WordPress sites

Everest Forms Pro (versions 1.9.12 and earlier) contains a critical unauthenticated RCE (CVE-2026-3300) in its Complex Calculation feature that uses eval() on constructed PHP code, allowing attackers to inject PHP (e.g., wp_insert_user()) to create administrator accounts and fully compromise WordPress sites; a patch was issued on March 18, but active exploitation began April 13 with Wordfence blocking over 29,300 attempts and identifying specific offending IPs and the account string "diksimarina" as an IOC.