Everest Forms Vulnerability Exploited to Hack WordPress Sites

The flaw allows attackers to execute arbitrary code remotely and has been exploited in the wild for two months. The post Everest Forms Vulnerability Exploited to Hack WordPress Sites appeared first on SecurityWeek .

SecurityWeek reports a critical remote code execution vulnerability (CVE-2026-3300, CVSS 9.8) in the Everest Forms Pro WordPress plugin that allows unauthenticated attackers to inject PHP code via the Complex Calculation feature and fully compromise sites; active exploitation has been observed for months in the wild.[1][6] Defiant/Wordfence notes attackers are using this flaw to create admin accounts and deploy web shells, and advises immediate updates to version 1.9.13 or later and checks for unauthorized admin users.[1][6] From a CyberSE.AI perspective, this incident illustrates how third-party web components and plugins form a critical part of the broader software and AI supply chain, especially where such plugins may be integrated into data collection front-ends for AI systems. Organizations should maintain SBOM-level visibility into all web and plugin dependencies used alongside AI workflows, enforce rapid patching and hardening for form and integration plugins, and continuously assess how compromised web components could be abused to pivot into AI backends, exfiltrate training/production data, or tamper with AI inputs and outputs.