Everest Forms Pro Vulnerability Allows Remote Code Execution on WordPress Sites

**Executive summary:** A critical remote code execution vulnerability (CVE-2026-3300, CVSS 9.8) in the Everest Forms Pro WordPress plugin permits unauthenticated PHP injection through the Calculation add-on when "Complex Calculation" is enabled; WPEverest patched the issue in v1.9.13 but versions up to 1.9.12 remain vulnerable. Wordfence reports active exploitation beginning April 13, 2026 with more than 29,300 blocked attempts (a May 16 surge of ~17,900) and observed payloads creating a rogue administrator account named "diksimarina" ([email protected]) originating largely from IP 202.56.2.126; site operators should update immediately and monitor for the listed IOCs.