CVE-2026-3300 — Everest Forms Pro (WordPress): unauthenticated `eval()` injection, actively exploited at scale

A pre-authentication PHP code-injection (CVSS 9.8) in the Calculation Addon of the Everest Forms Pro plugin lets an unauthenticated visitor break out of a calculated form field and execute attacker-controlled PHP, the observed payload being creation of a rogue administrator account (Wordfence, 2026-06-06; BleepingComputer, 2026-06-06). The vendor patched it in v1.9.13 on 18 March 2026, but Wordfence telemetry shows mass exploitation running since 13 April (29,300+ blocked attempts, a single-day spike of 17,900 on 16 May, still active as of 6 June). Inclusion gate: vendor-confirmed in-the-wild exploitation at scale. Full mechanics, detection and hardening in § 5.