Critical Exploit Targeting Everest Forms Pro Plugin
Cybercriminals are currently taking advantage of a significant security defect within Everest Forms Pro, a WordPress plugin boasting approximately 4,000 active installations, enabling unauthorized code execution that could lead to a total compromise of affected sites.
The vulnerability, identified as CVE-2026-3300, has received a disconcertingly high CVSS score of 9.8, categorizing it as a remote code execution flaw.
It affects all iterations of the plugin up to and including version 1.9.12. A remedial update addressing this vulnerability was disseminated on March 18, 2026, in the form of version 1.9.13.
As highlighted by Wordfence, “The issue arises from the Calculation Addon’s process_filter() function, which concatenates user-submitted form field values into a PHP code string without appropriate escaping prior to passing it to eval().”
Additionally, while the sanitize_text_field() function is applied to inputs, it fails to escape single quotes and other characters pertinent to PHP code context.
This negligence permits unauthenticated adversaries to inject and execute arbitrary PHP code on the server by submitting a carefully crafted value in any string-type form field—be it text, email, URL, select, or radio—when employing the ‘Complex Calculation’ feature.
The repercussions of this flaw allow malicious actors to take control of servers by executing arbitrary PHP code, facilitating the creation of illegitimate administrator accounts, deploying web shells, and further penetrating the server infrastructure to establish enduring points of access.
Wordfence has reported that exploitation attempts have been detected since April 13, 2026. To date, over 29,300 attempts targeting this vulnerability have been neutralized.
Notably, 16 instances were recorded within the last 24 hours alone. The predominant tactic involves attempting to establish an administrator account with the name “diksimarina,” associated with the email address [email protected].
The following IP addresses have been identified as sources of these attack attempts:
- 202.56.2.126
- 209.146.60.26
- 15.235.166.18
- 2402:1f00:8000:800::40db
- 185.78.165.153
Skimmer Attacks Utilizing Stripe for Command and Control
This alert coincides with Sansec’s warnings regarding various skimmer campaigns, one of which exploits Stripe as a command-and-control (C2) server, leveraging its reputable status to circumvent Content Security Policy rules and network filters.
According to Sansec, “Attackers view Stripe as free infrastructure rather than merely a method for laundering transactions.”
This platform provides a writable database for pilfered card information alongside a code-hosting endpoint for the skimmer, both nestled behind a domain inherently trusted by CSP regulations and network safeguards.
The operation utilizes Google Tag Manager (GTM) and Stripe domains—namely googletagmanager.com and api.stripe.com—both of which are implicitly trusted by e-commerce platforms. The malicious code, extracted from a GTM container, executes on every page that loads it.
On checkout pages for Magento and Adobe Commerce, an obfuscated skimmer is retrieved from a Stripe customer account’s metadata field, siphoning financial data, billing addresses, emails, and phone numbers entered by unsuspecting users, then storing this information in localStorage and subsequently exfiltrated back to the attacker’s Stripe account.
Sansec elaborated, “Every stolen card transforms into a ‘customer’ within the attacker’s account.” Upon successful data acquisition, the loader purges the localStorage entry, thus preventing duplicate submissions.
The attacker can revisit their portfolio of stolen cards later by querying the same API with the original key, effectively turning Stripe’s customer database into a perpetually accessible exfiltration resource.
The skimmer-recording Stripe account appears to have been established on December 24, 2025, hinting at the longevity of this operation.
Sansec also detected an alternative loader variant that utilizes Google Firestore instead of Stripe, with the overarching aim remaining constant: exploiting a trusted service as a clandestine conduit, predominantly elusive from e-commerce detection efforts.
This report aligns with the extensive initiative dubbed GorgonAgora, which orchestrated a network of 5,714 counterfeit .shop storefronts impersonating reputable brands—including Starbucks, Ford, Sony, Mattel, Hasbro, Lego, Disney, and Toyota—redirecting stolen card data to a singular skimmer server based in Moldova since August 2025.
Sansec remarked, “Each store runs a uniform Medusa.js commerce stack and executes the same custom checkout SDK, fostering a fabricated Stripe iframe and exfiltrating card data through an encrypted WebSocket to a centralized server in Moldova.”
Furthermore, “Data exfiltration transpires over WebSocket with an AES-256-GCM payload, while the C2 sustains an active 3D Secure relay: when a challenged response from the victim’s bank is returned, the operator proxies it back to the shopper through the counterfeit iframe, ensuring the transaction’s completion remains undetected.”
Source link: Thehackernews.com.
