Critical RCE Vulnerability in Everest Forms Pro Plugin Exploited in the Wild Hackers are actively exploiting a severe remote code execution (RCE) vulnerability in the Everest Forms Pro WordPress plugin, tracked as CVE-2026-3300 (CVSS 9.8). The flaw, affecting all versions up to 1.9.12, allows unauthenticated attackers to execute arbitrary PHP code on vulnerable websites by manipulating form inputs. The vulnerability stems from the plugin’s "Complex Calculation" feature, where the `process_filter()` function dynamically constructs and evaluates PHP code using `eval()`. Despite input sanitization via `sanitize_text_field()`, the function fails to escape single quotes, enabling attackers to inject malicious payloads through standard form fields (text, email, URL, select, radio). By appending a single quote followed by arbitrary PHP code, threat actors can bypass security controls and gain server-side execution. Publicly disclosed on March 30, 2026, after a patch was released on March 18, 2026, the flaw saw active exploitation beginning April 13, 2026. Wordfence reported blocking over 29,300 exploitation attempts, with a sharp spike of 17,900 attacks on May 16 alone. Attackers primarily exploit the `/wp-admin/admin-ajax.php` endpoint via crafted POST requests, targeting websites with the Complex Calculation feature enabled. Observed attack patterns include the creation of rogue administrator accounts, such as the username "diksimarina", using WordPress’s `wp_insert_user()` function. Once administrative access is obtained, attackers deploy webshells, backdoors, or further compromise the hosting environment. Multiple malicious IPs have been identified, including: - 202.56.2[.]126 (tens of thousands of blocked requests) - 209.146.60[.]26 (thousands of exploit attempts) - 15.235.166[.]18 (hundreds of malicious requests) - 2402:1f00:8000[:]800::40db (IPv6-based attacks) - 185.78.165[.]153 (hostile scanning activity) While Wordfence provided early protection via firewall rules (February 27 for paid users, March 29 for free users), full mitigation requires updating to version 1.9.13. Indicators of compromise include unauthorized admin accounts and suspicious requests from known malicious IPs. The low barrier to exploitation and active campaign make this a high-impact threat to WordPress environments.