Wordfence reports active exploitation of CVE-2026-3300 (CVSS 9.8), a remote code execution flaw in the Everest Forms Pro WordPress plugin (about 4,000 active installations) affecting all versions up to 1.9.12. The Calculation Addon's process_filter() function concatenates user-submitted form-field values into a PHP string and passes it to eval() without proper escaping; sanitize_text_field() does not escape single quotes, so unauthenticated attackers can inject and run arbitrary PHP by submitting a crafted value in any string-type field when a form uses the Complex Calculation feature. Exploitation began April 13; Wordfence has blocked 29,300+ attempts. The common payload creates a rogue admin named 'diksimarina.' Patch 1.9.13 shipped March 18.