Hackers Exploit Critical Everest Forms Pro WordPress Plugin Flaw to Take Over Sites

Threat actors are actively exploiting a critical security flaw in Everest Forms Pro, a WordPress plugin with about 4,000 active installations, to execute arbitrary code, leading to a complete site compromise. The vulnerability in question is CVE-2026-3300 (CVSS score: 9.8), a remote code execution bug impacting all versions of the plugin up to, and including, 1.9.12. A patch for the flaw was

The article reports active exploitation of CVE-2026-3300, a critical remote code execution vulnerability (CVSS 9.8) in the Everest Forms Pro WordPress plugin (≤ 1.9.12), allowing unauthenticated attackers to execute arbitrary code and fully compromise affected sites.[3][4] A patch is available in version 1.9.13 and above, and guidance includes updating immediately, checking for unauthorized admin users, and deploying WAF protections.[3] From a CyberSE.AI perspective, this highlights broader AI/software supply chain risk: compromised CMS plugins can be a pivot to inject malicious scripts, exfiltrate data, or tamper with any AI-powered features or agents integrated into the same web stack. Organizations should maintain an SBOM for web components, enforce rapid patch management for third-party integrations that underpin AI services, and include these dependencies in AI security readiness and continuous monitoring programs.