A critical security vulnerability in the Everest Forms Pro WordPress plugin, affecting approximately 4,000 active installations, is being actively exploited by threat actors to execute arbitrary code, leading to full website compromise. This remote code execution (RCE) flaw, identified as CVE-2026-3300, carries a severe CVSS score of 9.8 and impacts all versions up to and including 1.9.12. A patch was released on March 18, 2026, in version 1.9.13.
The vulnerability stems from the Calculation Addon’s `process_filter()` function within Everest Forms Pro. Researchers at Wordfence explained that this function concatenates user-submitted form field values into a PHP code string without proper escaping. This process is then passed to an `eval()` function, creating a pathway for malicious code injection. Despite the application of `sanitize_text_field()`, this sanitization does not adequately escape characters critical to PHP code execution, such as single quotes.
Everest Forms Pro Vulnerability Fuels Website Compromises
The exploitation of the Everest Forms Pro bug allows unauthenticated attackers to inject and execute arbitrary PHP code on the server. This capability opens the door for attackers to perform a range of malicious activities, including the creation of rogue administrator accounts, the deployment of web shells for persistent access, and the establishment of deeper footholds within the compromised server infrastructure. These actions can effectively lead to a complete takeover of the affected WordPress website.
According to Wordfence, observed exploitation attempts targeting this critical Everest Forms Pro vulnerability began on April 13, 2026. The company reported blocking over 29,300 such exploit attempts to date, with 16 attempts occurring within the 24 hours prior to their analysis. A recurring pattern in the attack payloads involves attempts to create an administrator account named “diksimarina” with the email address [email protected].
These malicious activities have been traced to several IP addresses, including 202.56.2.126, 209.146.60.26, 15.235.166.18, 2402:1f00:8000:800::40db, and 185.78.165.153.
Emerging Skimmer Campaigns Leverage Trusted Services
This disclosure of the Everest Forms Pro exploit emerges amidst separate reports highlighting sophisticated skimmer campaigns. Sansec has detailed multiple such operations, including one that notably utilizes the payment processor Stripe as a command-and-control (C2) server and a data exfiltration point. This tactic exploits the inherent trust placed in the Stripe brand to bypass security measures like Content Security Policy (CSP) rules and network filters.
Attackers are treating Stripe as free infrastructure for both storing stolen card details and hosting malicious skimmer code. By leveraging Stripe’s domains, which are typically whitelisted by online stores, the malicious code, often loaded via Google Tag Manager (GTM), can execute without raising immediate suspicion. This allows the skimmers to extract sensitive financial information from unsuspecting users.
In the observed Magento and Adobe Commerce campaigns, the skimmers extract obfuscated code from a Stripe customer metadata field. The captured payment and personal data, including billing addresses and phone numbers, are then stored in the browser’s `localStorage` before being exfiltrated to the attacker’s Stripe account. Sansec indicates that each stolen card is registered as a new “customer” in the attacker’s Stripe account, effectively using the payment processor’s database as a covert exfiltration channel.
The research suggests that this particular Stripe-based campaign may have been active since at least December 24, 2025, when the relevant Stripe customer record was created. A variant utilizing Google Firestore instead of Stripe for similar covert communication has also been identified. These findings align with larger ongoing operations, such as GorgonAgora, which has involved thousands of fake e-commerce storefronts impersonating well-known brands and funneling stolen card data to a central skimmer server in Moldova. These operations, active since August 2025, employ advanced techniques like encrypted WebSockets and live 3D Secure relays to ensure successful theft and maintain invisibility.
The continued discovery of such sophisticated attacks underscores the persistent threat landscape for WordPress users and e-commerce platforms. Website owners are strongly advised to ensure all plugins and themes are updated to their latest versions immediately to mitigate these critical vulnerabilities. Monitoring security advisories and implementing robust security practices remain paramount in protecting against evolving cyber threats.