Hackers are taking advantage of a dangerous security hole in Everest Forms Pro, a WordPress plugin installed on roughly 4,000 websites, to inject code and gain full control over affected sites.
This vulnerability, tracked as CVE-2026-3300 with a CVSS score of 9.8, is a remote code execution flaw affecting all versions of the plugin through 1.9.12. The developer issued a patch on March 18, 2026, in version 1.9.13.
“The issue lies in how the Calculation Addon’s process_filter() function merges user-supplied form data into a PHP code string and sends it to eval() without safely escaping it first,” Wordfence explained.
“While sanitize_text_field() runs on the input, it doesn’t escape single quotes or other PHP-related characters. This allows unauthenticated visitors to drop custom PHP code onto the server by entering manipulated data into standard text fields (text, email, URL, select, radio) on any form that uses the ‘Complex Calculation’ option.”
If exploited successfully, attackers can run any PHP code on the server, create fake admin accounts, plant web shells, and carve out long-term access to the site.
Wordfence reports that exploitation attempts began as early as April 13, 2026, and more than 29,300 attack attempts have been intercepted so far. Around 16 of those occurred in just the past 24 hours. The most frequently attempted payload tries to set up an admin account with the username “diksimarina” and the email diksimarina@gmail.com on the hacked site.
These attacks have been traced to the following IP addresses:
- 202.56.2.126
- 209.146.60.26
- 15.235.166.18
- 2402:1f00:8000:800::40db
- 185.78.165.153
Skimmer Operations Hide Behind Stripe for C2
This news comes alongside Sansec’s alert about multiple payment skimmer campaigns. One of those campaigns leverages Stripe as a command-and-control (C2) hub and exfiltration point, banking on Stripe’s trusted reputation to evade Content Security Policy rules and network-level defenses.
“The attacker is simply using Stripe as free infrastructure, not to process fraudulent payments,” Sansec explained. “Stripe acts as a writable card data store and a skimmer code host, all under a domain that CSP rules and network filters allow by default.”
The attack chain takes advantage of two domains widely trusted by online shops — googletagmanager.com and api.stripe.com. The malicious script is loaded through a Google Tag Manager container and runs on every page that pulls it in.
On Magento and Adobe Commerce checkout pages, the code pulls an obfuscated skimmer from a Stripe customer account’s metadata field (in this case, “cus_TfFjAAZQNOYENR”). It captures payment card details, billing and email addresses, and phone numbers, saving them in localStorage before forwarding everything to the attacker’s Stripe account.
“Each stolen card is created as a ‘customer’ in the attacker’s Stripe account,” the e-commerce security firm noted. “Once the submission succeeds, the loader wipes the localStorage entry to avoid duplicates. The attacker can later retrieve the stolen card list by querying the same Stripe API with the same key. In effect, Stripe’s customer database serves as a free, persistent data dumping ground.”
The Stripe record hosting the skimmer appears to have been created on December 24, 2025, suggesting the operation could have been running since then. Sansec also found a different variant of the loader that substitutes Stripe with Google Firestore, though the objective remains the same: exploit a trusted service as a covert data channel that shops are unlikely to block.
These findings overlap with a sweeping campaign named GorgonAgora, which operates a network of 5,714 fraudulent .shop sites impersonating well-known brands including Starbucks, Ford, Sony, Mattel, Hasbro, Lego, Disney, and Toyota. Stolen card data from their checkout pages is funneled to a single skimmer server in Moldova, with the campaign active since August 2025.
“Every fake store runs the same Medusa.js commerce platform and loads the same custom checkout SDK, which displays a counterfeit Stripe iframe and sends card data over an encrypted WebSocket to the one server in Moldova,” the Dutch firm explained.
“Data is transmitted over WebSocket inside an AES-256-GCM encrypted payload, and the C2 handles a live 3D Secure relay — when the victim’s bank triggers a 3DS verification, the operator passes it back through the fake iframe so the transaction goes through and the fraud goes unnoticed.”
