The Everest Forms Pro WordPress plugin contains a critical remote code execution vulnerability tracked as CVE-2026-3300 with a CVSS score of 9.8. The vulnerability arises because the plugin's Complex Calculation feature improperly escapes single quotes and other characters when incorporating user input into PHP code strings. An unauthenticated attacker can submit crafted input containing a single quote followed by malicious PHP code and a comment character, resulting in arbitrary PHP code execution on the server. This allows attackers to create administrative accounts or deploy web shells, effectively taking over vulnerable WordPress sites. The vulnerability affects over 100,000 sites and has been exploited in the wild since April 2026. The issue was fixed in Everest Forms Pro version 1.9.13 released in March 2026.

Successful exploitation allows unauthenticated remote attackers to execute arbitrary PHP code on affected WordPress sites, leading to full site takeover. Attackers have used this to create unauthorized administrative accounts and deploy web shells. Over 29,000 exploit attempts have been blocked by security firms. The vulnerability impacts site integrity, confidentiality, and availability by enabling attacker control over the WordPress environment.

An official patch addressing this vulnerability is available in Everest Forms Pro version 1.9.13 and later. Site administrators should update to this version immediately. Additionally, administrators should audit their WordPress sites for unauthorized administrator accounts, especially those with the username 'diksimarina' or the email address 'diksimarina@gmail.com'. No other specific mitigations are indicated by the vendor advisory.