Critical Everest Forms Pro Flaw Under Active Attack

Security researchers have warned that threat actors are actively exploiting a critical vulnerability in Everest Forms Pro, a popular WordPress plugin with approximately 4,000 active installations.

The vulnerability, tracked as CVE-2026-3300 and assigned a CVSS score of 9.8, affects all plugin versions up to and including 1.9.12.

A security fix was released on March 18, 2026, in version 1.9.13, but attackers have already begun targeting unpatched installations.

Technical Details

According to Wordfence, the vulnerability originates from the Calculation Addon's process_filter() function.

The function concatenates user-supplied form values into dynamically generated PHP code before passing the data to the dangerous eval() function.

Because user input is not properly escaped, attackers can inject arbitrary PHP code through form submissions.

The issue impacts forms that utilize the plugin's Complex Calculation feature and can be triggered through several field types, including:

  • Text fields
  • Email fields
  • URL fields
  • Select menus
  • Radio buttons

As a result, attackers can execute arbitrary code without authentication.

Potential Impact

Successful exploitation may allow attackers to:

  • Execute arbitrary PHP code
  • Create unauthorized administrator accounts
  • Deploy web shells
  • Modify website content
  • Establish persistent access
  • Install additional malware
  • Take complete control of the WordPress environment

Because exploitation requires no authentication, internet-facing sites are particularly vulnerable.

Exploitation Observed in the Wild

Wordfence reports that exploitation activity began on April 13, 2026.

To date, more than 29,300 exploitation attempts have been detected and blocked.

One of the most frequently observed payloads attempts to create a rogue administrator account with the following credentials:

Username: diksimarina
Email: [email protected]

Organizations should immediately review administrator accounts and investigate any unexpected privileged users.

Known Attacker Infrastructure

Observed attack activity has originated from the following IP addresses:

  • 202.56.2.126
  • 209.146.60.26
  • 15.235.166.18
  • 2402:1f00:8000:800::40db
  • 185.78.165.153

Alt text

Security teams should monitor logs for connections associated with these indicators.

New Payment Card Skimming Campaign Abuses Stripe

Researchers from Sansec also uncovered a sophisticated payment card skimming campaign that abuses trusted third-party services to evade detection.

Instead of relying on traditional attacker infrastructure, the campaign uses:

  • Google Tag Manager (GTM)
  • Stripe APIs

to distribute malicious code and exfiltrate stolen payment card data.

Stripe Used as Command-and-Control Infrastructure

The attackers leverage a Stripe customer account as both:

  • A malware hosting platform
  • A stolen data repository

Malicious JavaScript is loaded through Google Tag Manager and executed on affected e-commerce websites.

The code extracts:

  • Credit card numbers
  • Billing information
  • Email addresses
  • Phone numbers

and stores them temporarily before transmitting the information back to the attackers through Stripe's infrastructure.

Because Stripe domains are widely trusted, many Content Security Policies (CSPs) and network filters fail to detect or block the activity.

Alternative Variant Uses Google Firestore

Researchers also identified a second campaign variant that replaces Stripe with Google Firestore.

The objective remains identical:

  • Hide malicious communications within trusted cloud services
  • Bypass security controls
  • Exfiltrate payment data without triggering alerts

GorgonAgora Campaign Impersonates Major Brands

Sansec additionally revealed a large-scale operation known as GorgonAgora.

The campaign consists of more than 5,700 fraudulent online stores impersonating major global brands, including:

  • Starbucks
  • Ford
  • Sony
  • Mattel
  • Hasbro
  • LEGO
  • Disney
  • Toyota

All storefronts utilize the same infrastructure and payment-skimming mechanisms.

Advanced Payment Theft Infrastructure

Researchers found that the fake stores:

  • Use the Medusa.js commerce platform
  • Present fake Stripe payment interfaces
  • Exfiltrate payment card data to a centralized server in Moldova

The operation also includes a live 3D Secure relay capability.

When banks issue a 3D Secure challenge, attackers transparently relay the request back to victims through the fake payment page, allowing fraudulent transactions to complete successfully without raising suspicion.

Mitigation Recommendations

Organizations should take the following actions immediately:

Everest Forms Pro

  • Upgrade to version 1.9.13 or later
  • Review WordPress administrator accounts
  • Search for unauthorized plugins or web shells
  • Monitor logs for suspicious form submissions

E-Commerce Platforms

  • Audit Google Tag Manager containers
  • Review third-party JavaScript integrations
  • Monitor outbound connections to unexpected cloud services
  • Validate Content Security Policy configurations

General Security

  • Enable continuous monitoring
  • Deploy web application firewalls (WAFs)
  • Implement file integrity monitoring
  • Review privileged account activity

Conclusion

The active exploitation of CVE-2026-3300 highlights the ongoing risks associated with vulnerable WordPress plugins, particularly those capable of executing dynamic code.

At the same time, emerging skimming campaigns demonstrate how attackers increasingly abuse trusted cloud services such as Stripe and Google infrastructure to evade detection and steal sensitive payment information.

Organizations should prioritize patching vulnerable systems and continuously monitor their environments for signs of compromise.