The critical remote code execution vulnerability CVE-2026-3300 (CVSS 9.8) in the Everest Forms Pro plugin for WordPress is being actively exploited by attackers to fully compromise websites. According to Wordfence, more than 29,300 blocked exploitation attempts have been recorded since April 13, 2026. The vulnerability affects all plugin versions up to and including 1.9.12, and a fix is available in version 1.9.13, released on March 18, 2026. Site owners with Everest Forms Pro installed (around 4,000 active installations) must update the plugin immediately — attackers are creating controlled administrator accounts and deploying web shells without any authentication.
Technical anatomy of the vulnerability
The root cause of the vulnerability, as reported by Wordfence, lies in the process_filter() function of the Calculation Addon module. This function concatenates user-submitted form field values into a PHP code string without proper escaping, and then passes the result to eval(). The sanitize_text_field() function applied to the input does not escape single quotes or other characters that are significant in the context of PHP code.
This allows an unauthenticated attacker to inject and execute arbitrary PHP code on the server by submitting a specially crafted value to any string form field (text, email, URL, select, radio) if the form uses the “Complex Calculation” feature. According to the NVD entry, the vulnerability has received a CVSS score of 9.8, which is very close to the maximum critical rating.
Successful exploitation allows attackers to:
- Create administrator accounts under their control
- Deploy web shells for persistent access
- Deepen their foothold in the server infrastructure and maintain persistence
Observed exploitation activity
According to Wordfence, active exploitation of CVE-2026-3300 has been observed since April 13, 2026. At the time of publication, more than 29,300 attack attempts have been blocked, and 16 attacks have been recorded in the last 24 hours. The most common payload aims to create an administrator account named “diksimarina” with the email address [email protected].
Recorded source IP addresses of the attacks:
202.56.2.126209.146.60.2615.235.166.182402:1f00:8000:800::40db185.78.165.153
These indicators of compromise are derived from a single security vendor’s telemetry and may change over time.
Skimming campaigns: abusing trusted infrastructure
In parallel with the exploitation of Everest Forms Pro, Sansec researchers have identified several payment data theft campaigns that use a fundamentally new approach to disguising malicious infrastructure.
Stripe as a command server
One of the campaigns described by Sansec uses Stripe as a command server and storage for stolen data. Attackers load malicious code through a Google Tag Manager container, and the obfuscated skimmer is extracted from the metadata field of a Stripe customer record (identifier cus_TfFjAAZQNOYENR).
The key idea of the attack is that the googletagmanager.com and api.stripe.com domains are by default trusted by online stores and are allowed by Content Security Policy rules and network filters. On Magento and Adobe Commerce checkout pages, the skimmer intercepts financial information, billing addresses, email addresses, and phone numbers, saving them in the browser’s localStorage before sending them to the attacker’s Stripe account.
As the researchers note, each stolen card becomes a “customer” in the attacker’s account, and the Stripe customer base turns into a free and reliable exfiltration storage. The Stripe record containing the skimmer was presumably created on December 24, 2025, indicating that the operation may have been active since that date. Sansec also discovered a second variant of the loader that uses Google Firestore instead of Stripe for similar purposes.
Operation GorgonAgora
Separately, Sansec describes the large-scale operation GorgonAgora, which, according to the researchers, includes 5,714 fake online stores in the .shop zone impersonating brands such as Starbucks, Ford, Sony, Mattel, Hasbro, Lego, Disney, and Toyota. The campaign has presumably been active since August 2025.
All stores run on the Medusa.js stack and load a single checkout SDK that displays a fake Stripe iframe and transmits card data over an encrypted WebSocket connection (AES-256-GCM) to a single server in Moldova. Notably, the infrastructure supports real-time 3D Secure relay: when the victim’s bank returns a 3DS request, the operator proxies it back to the buyer via the fake iframe, ensuring that the transaction completes and the theft remains invisible.
Impact assessment
Although the number of active Everest Forms Pro installations is relatively small (around 4,000), the nature of the vulnerability — unauthenticated remote code execution with a CVSS score of 9.8 — makes every unpatched site a target for automated attacks. The gap between patch release (March 18) and the start of observed exploitation (April 13) was less than one month, which is typical for critical WordPress plugin vulnerabilities.
The skimming campaigns represent a different scale of threat: abusing trusted services (Stripe, Google Tag Manager, Google Firestore) undermines traditional protection models based on domain whitelists and CSP. Store owners running Magento and Adobe Commerce are at the highest risk.
Practical recommendations
For site owners using Everest Forms Pro:
- Immediately update the plugin to version 1.9.13 or later
- Check the list of administrators for unknown accounts, in particular “diksimarina”
- Scan the file system for web shells and unauthorized files
- Block the listed IP addresses at the WAF or firewall level
- If updating is not possible, disable the “Complex Calculation” feature or the entire plugin until the patch is applied
For online store owners (Magento, Adobe Commerce):
- Audit Google Tag Manager containers for unauthorized tags and scripts
- Check whether any scripts loaded on checkout pages are calling the Stripe API with unknown keys
- Implement script integrity monitoring on critical pages (checkout, cart)
- Consider using Subresource Integrity (SRI) for external scripts where technically feasible
Owners of WordPress sites using Everest Forms Pro should treat upgrading to version 1.9.13 as a zero-day level priority — the patch has been available for three months, and automated attacks continue. For e-commerce operators, the key takeaway from the skimming campaigns is that trust in a domain (Stripe, Google) is no longer sufficient for security: control is required at the level of specific scripts and API keys, not just domain-based policies.
