An unpatched security vulnerability in Everest Forms Pro (up to version 1.9.12) allows unauthenticated attackers to execute arbitrary PHP code on WordPress websites and take control.