A critical vulnerability in the Everest Forms Pro WordPress plugin is under active attack, with over 29,300 exploitation attempts blocked since April 13, 2026. The flaw, CVE-2026-3300, scores a near-perfect 9.8 on the CVSS scale and affects all versions up to 1.9.12.
The bug lives in the plugin's "Complex Calculation" feature, where user inputs are passed directly into PHP's eval() function without proper sanitization. Attackers don't need credentials — they just submit a crafted form field. Most attacks aim to create rogue admin accounts, with one common payload creating a user named "diksimarina."
A patch (version 1.9.13) has been available since March 18. Update immediately.
Source: Cybersecurity News