Hackers Use Key Forms Everest Pro WordPress Plugin Flaw To Take Over Sites
Threat actors are actively exploiting a critical security flaw in Everest Forms Pro, a WordPress plugin with around 4,000 active installations, to execute malicious code, leading to a complete site shutdown.
The vulnerability in question is CVE-2026-3300 (CVSS score: 9.8), a remote code execution bug that affects all versions of the plugin up to, and including, 1.9.12. A bug patch was released on March 18, 2026, with version 1.9.13.
“This is due to the Calculation Addon’s process_filter() function which concatenates user-submitted form field values into PHP code strings without proper escaping before passing them to eval(),” Wordfence said.
“The sanitize_text_field() function used in the input does not count single quotes or other characters in the context of the PHP code. This makes it possible for unauthorized attackers to inject and execute obfuscated PHP code on the server by sending a generated value to any form field of string type (text, email, URL, select, radio) when the form uses the ‘Complex Calculation’ feature.”
Successful exploitation of the vulnerability could allow unauthenticated bad actors to execute malicious PHP code on the server, allow them to create malicious administrator accounts, launch web shells, and open other ways to penetrate the server and establish persistent footprints.
According to the WordPress security company, attackers have been observed exploiting the flaw since April 13, 2026. More than 29,300 exploit attempts targeting the feature have been blocked so far. Of this, 16 attack attempts have occurred in the last 24 hours. The most common payload includes attempts to create an administrator account called “diksimarina” (email address: diksimarina@gmail.com) on a corrupted site.
These attack attempts originate from the following IP addresses –
- 202.56.2.126
- 209.146.60.26
- 15.235.166.18
- 2402:1f00:8000:800::40db
- 185.78.165.153
Skimmer Attacks Exploit Stripe for C2
This disclosure comes as Sansec has warned of several skimmer campaigns, including one that uses Stripe as a command and control (C2) server and data extraction sink in an attempt to exploit the brand’s reputation and bypass Content Security Policy rules and network filters.
“The attacker treats Stripe as free infrastructure, not as a means of issuing crimes,” Sansec noted. “Stripe gives them a writable database of stolen cards and an end-to-end host for issuer code, both behind a CSP-controlled domain and automated trusted network filters.”
The campaign relies on Google Tag Manager (GTM) and Stripe’s domains – googletagmanager.com and api.stripe.com – both of which are implicitly trusted by online stores, with malicious code loaded into the GTM container and executed on every page it loads.
On Magento and Adobe Commerce checkout pages, it extracts a mysterious skimmer from the Stripe customer account (“cus_TfFjAAZQNOYENR,” in this case) metadata field, and saves financial information, billing and email addresses, and phone numbers entered by unsuspecting users in the LocalStore. The captured data is then downloaded back to the attacker’s Stripe account.
“Every stolen card becomes a ‘customer’ in the attacker’s account,” the e-commerce security firm said. “On success, the loader deletes the Storage Location entry, so the same record is not sent twice. The attacker writes his stolen cards later by calling the same API with the same key. Stripe’s customer database becomes a free, long-lasting sink.”
The Stripe customer record containing the skimmer is said to have been created on December 24, 2025, indicating that the job may have been active since then. Sansec said it also identified a second variant of the downloader that uses Google Firestore instead of Stripe, although the end goal is the same: to abuse the trusted service as a secret channel that may not be blocked by e-commerce stores.
The findings are consistent with a large operation called GorgonAgora that used a collection of 5,714 fake stores .in store brands such as Starbucks, Ford, Sony, Mattel, Hasbro, Lego, Disney, and Toyota, whose payment pages included stolen card data on a single skimmer server in Moldo. The campaign has been running since August 2025.
“Each store uses the commercial Medusa.js stack and loads the same custom SDK, which renders a fake Stripe iframe and outputs the card data via an encrypted WebSocket to a single server in Moldova,” the Dutch company said.
“Exfiltration runs over WebSocket with an AES-256-GCM payload, and C2 maintains a live 3D Secure upload: when the victim’s bank returns the 3DS challenge, the operator must return it to the shopper with a fake iframe so that the transaction ends and the theft remains undetected.”
