A critical vulnerability in Everest Forms Pro, a WordPress plugin, allows attackers to inject PHP code via form fields, resulting in the creation of rogue admin accounts. Tracked as CVE-2026-3300, this flaw was patched by WPEverest on March 18, but exploitation began just 26 days later, with over 29,300 attempts blocked1. The vulnerability was discovered by researcher h0xilo and submitted to Wordfence's bug bounty program, earning a $325 reward. Despite the patch being available, many sites remain vulnerable, expanding the active attack surface. The window between patch release and initial exploitation highlights the need for prompt updates and prioritization based on exposure and exploitation evidence. This vulnerability matters to practitioners as it underscores the importance of timely patching and monitoring for suspicious activity to prevent attackers from gaining admin access to WordPress sites.