Unauthenticated attackers can achieve full server compromise by injecting malicious PHP code into Everest Forms Pro fields that utilize the "Complex Calculation" feature.

The Calculation Addon's process_filter() function insecurely concatenates user-submitted form values into a string passed to the eval() function. Because the application fails to escape single quotes or PHP control characters, an unauthenticated attacker can break out of the string context and execute arbitrary PHP code.

This vulnerability allows for complete unauthorized access to the WordPress environment and the underlying operating system. Attackers can steal sensitive user data, modify site content, or use the server as a pivot point for further internal network attacks. The CVSS score of 9.8 indicates a critical threat to the organization's digital assets.

Immediate Action: Update the Everest Forms Pro plugin and the Calculation Addon to the latest available version immediately to ensure user input is no longer passed to eval() unsafely.

Proactive Monitoring: Review form submission logs for entries containing PHP tags (<?php), backticks, or unusual character sequences in text and select fields.

Compensating Controls: Implement a WAF to block common PHP injection payloads and restrict the use of the "Complex Calculation" feature to trusted administrative users only.

Public Exploit Available: No

Applying the vendor-provided patch is the only effective way to mitigate this critical risk. Administrators must ensure that both the core plugin and all associated addons are updated to the latest versions to protect against unauthenticated remote code execution.