Cybersecurity researchers are warning WordPress administrators about active attacks targeting a critical vulnerability in Everest Forms Pro, a popular WordPress plugin used on thousands of websites.
The flaw, tracked as CVE-2026-3300, allows attackers to execute arbitrary code remotely and potentially gain full control over vulnerable websites. Security experts say exploitation attempts are already underway, making immediate patching essential for affected users.
High-Severity Remote Code Execution Flaw
The vulnerability affects all versions of Everest Forms Pro up to and including version 1.9.12. The issue was fixed in version 1.9.13, released on March 18, 2026.
According to security researchers, the flaw originates from the plugin’s Calculation Addon, specifically within a function responsible for processing complex calculations.
The vulnerable code improperly handles user-supplied input before passing it to PHP’s eval() function. Because certain characters are not adequately escaped, attackers can inject and execute malicious PHP code directly on the server.
The vulnerability carries a CVSS score of 9.8, indicating a critical level of severity.
What Attackers Can Do
Successful exploitation can give attackers complete control over affected websites.
Potential impacts include:
- Creating unauthorized administrator accounts
- Installing web shells for persistent access
- Uploading malware and backdoors
- Modifying website content
- Stealing sensitive data
- Launching further attacks against hosting environments
One particularly concerning aspect of the vulnerability is that exploitation does not require authentication. Any attacker can target a vulnerable website if it uses forms configured with the plugin’s “Complex Calculation” feature.
Active Exploitation Already Underway
Researchers report that attacks began appearing in the wild on April 13, 2026.
More than 29,000 exploitation attempts have already been detected and blocked, with new attack activity continuing to emerge.
A common attack pattern involves creating a rogue administrator account with the username “diksimarina.” Once administrative access is established, attackers can install additional malware or maintain long-term control over compromised sites.
Security teams have observed malicious traffic originating from multiple IP addresses, suggesting a coordinated exploitation campaign.
Immediate Actions for Website Owners
Website administrators using Everest Forms Pro should take the following steps immediately:
1. Update the Plugin
Upgrade to Everest Forms Pro version 1.9.13 or later without delay.
2. Review Administrator Accounts
Check for unauthorized administrator users, particularly recently created accounts that were not added by legitimate site owners.
3. Scan for Malware
Inspect websites for suspicious files, web shells, backdoors, and modified core WordPress files.
4. Audit Server Logs
Review access logs and plugin activity logs for unusual requests or unexpected administrative actions.
5. Rotate Credentials
If compromise is suspected, reset all administrator passwords and rotate hosting, database, and API credentials.
New Skimmer Campaigns Abuse Trusted Services
The WordPress attacks come as researchers uncover sophisticated payment-skimming campaigns targeting online stores.
Security firm Sansec recently identified a campaign that leverages trusted services such as Stripe and Google Tag Manager (GTM) to hide malicious activity.
Instead of using traditional attacker-controlled infrastructure, cybercriminals are abusing legitimate platforms that many e-commerce sites already trust.
Stripe Used as Command-and-Control Infrastructure
Researchers discovered attackers using Stripe customer records as both a command-and-control platform and a data storage mechanism for stolen payment information.
The attack works by:
- Loading malicious code through a compromised Google Tag Manager container
- Retrieving hidden skimmer code from Stripe metadata fields
- Capturing payment card details entered during checkout
- Storing stolen data locally before sending it back to attacker-controlled Stripe accounts
By using trusted domains such as Stripe and Google Tag Manager, attackers can often bypass security controls, content security policies, and network filtering systems.
The operation appears to have been active since at least December 2025.
Alternative Variant Uses Google Firestore
Researchers also identified a second version of the attack that replaces Stripe with Google Firestore.
Although the infrastructure differs, the objective remains the same: leveraging reputable cloud services as covert channels for malicious communications and data theft.
Because many organizations trust traffic from major cloud providers, these techniques make detection significantly more challenging.
Massive Fake Store Network Targets Online Shoppers
In a separate investigation, researchers uncovered a large-scale operation known as “GorgonAgora.”
The campaign involves more than 5,700 fraudulent online stores using the .shop domain. These websites impersonate well-known global brands to trick consumers into entering payment information.
Brands targeted in the campaign reportedly include major automotive, entertainment, toy, and retail companies.
The fake stores operate using a shared e-commerce platform and deploy a counterfeit payment system designed to mimic legitimate Stripe checkout pages.
Advanced Payment Theft Techniques
What makes the campaign particularly dangerous is its ability to handle modern payment verification processes.
Researchers found that stolen payment data is transmitted through encrypted channels to attacker-controlled infrastructure. The system can even relay 3D Secure authentication challenges in real time, allowing fraudulent transactions to proceed without alerting victims.
This creates a seamless experience for shoppers, many of whom remain unaware that their card information has been stolen.
Growing Threat to Website Owners and Online Shoppers
The active exploitation of CVE-2026-3300 and the emergence of increasingly sophisticated payment-skimming operations highlight the evolving threat landscape facing website owners and online businesses.
For WordPress administrators, timely patch management remains the most effective defense against critical vulnerabilities. For e-commerce operators, monitoring third-party integrations and limiting trust in external services has become increasingly important as attackers shift toward abusing legitimate platforms.
As cybercriminals continue to refine their tactics, organizations must remain vigilant and adopt a proactive approach to security before vulnerabilities become entry points for large-scale compromise.
