A critical vulnerability in the Everest Forms WordPress plugin (versions up to 3.4.3) allows unauthenticated attackers to inject malicious code through public contact forms, which executes when an administrator reviews submissions. The attack requires no login and can result in full server compromise, including remote code execution and unauthorized file access. This vulnerability is confirmed actively exploited and listed on both the CISA and VulnCheck Known Exploited Vulnerabilities catalogs, making immediate remediation a priority. Fixed in version 3.4.4 and later.