The Everest Forms Pro WordPress plugin (versions 1.9.12 and earlier) contains a critical unauthenticated RCE vulnerability rooted in an unsafe PHP eval() call in the Complex Calculation feature, exploitable with no credentials and no user interaction. Active exploitation is confirmed with a consistent payload that creates a backdoor WordPress administrator account under the username ‘diksimarina’, providing persistent full-site control to attackers. Any public-facing WordPress installation running this plugin at the affected version range should be treated as compromised until audited and patched.