Critical Everest Forms Pro WordPress Plugin Flaw Under Active Exploitation

-


Threat actors are actively exploiting a critical remote code execution vulnerability in Everest Forms Pro, a WordPress plugin used by approximately 4,000 websites. The flaw, tracked as CVE-2026-3300 with a near-maximum CVSS score of 9.8, allows completely unauthenticated attackers to execute arbitrary PHP code on affected servers and take full control of vulnerable sites.

What the Vulnerability Does

The root cause of the flaw lies in the Calculation Addon's process_filter() function, which takes user-submitted form field values and concatenates them directly into a PHP code string before passing it to PHP's eval() function without proper escaping. The sanitization function applied to user input does not strip single quotes or other PHP-specific characters, meaning an attacker can simply submit a crafted value through any standard string-type form field including text, email, URL, select, or radio fields on any form that uses the "Complex Calculation" feature.

The result is full unauthenticated remote code execution on the web server. From there, attackers can create rogue administrator accounts, deploy web shells, and establish persistent footholds deep within the compromised server.

Scale of Active Exploitation

According to WordPress security firm Wordfence, attackers began exploiting this flaw as far back as April 13, 2026 nearly a month after the patch was released. More than 29,300 exploit attempts have been blocked to date, with 16 additional attacks recorded in the 24 hours prior to publication. The most commonly observed payload attempts to create a fraudulent administrator account under the name "diksimarina" using the email address diksimarina@gmail.com.

Attack traffic has been traced to the following IP addresses: 202.56.2.126, 209.146.60.26, 15.235.166.18, 2402:1f00:8000:800::40db, and 185.78.165.153.

A patch addressing the vulnerability was released on March 18, 2026, in version 1.9.13. All Everest Forms Pro installations running version 1.9.12 or earlier remain vulnerable and should be updated immediately.

Also: Skimmer Campaigns Abuse Stripe and Google as Covert Infrastructure

In related web security news, e-commerce security firm Sansec has disclosed multiple active credit card skimmer campaigns that are abusing trusted platforms as both command-and-control servers and data exfiltration channels specifically Stripe and Google services to bypass Content Security Policy rules and network filters.

In one campaign, attackers load a malicious skimmer through a Google Tag Manager container, then use a Stripe customer account's metadata field to store the obfuscated skimmer payload itself. On Magento and Adobe Commerce checkout pages, the malware extracts payment card details, billing information, email addresses, and phone numbers from unsuspecting shoppers, and saves each stolen card as a new "customer" record directly in the attacker's own Stripe account. The Stripe customer record used in this campaign was created on December 24, 2025, suggesting the operation has been running for months.

A second variant of the same loader uses Google Firestore instead of Stripe, but follows the same principle of hiding malicious activity behind a platform that online stores inherently trust.

Separately, Sansec also documented a large-scale operation called GorgonAgora, which has built a network of 5,714 fake .shop storefronts impersonating major brands including Starbucks, Ford, Sony, Mattel, Hasbro, Lego, Disney, and Toyota. The fake stores all run the same Medusa.js commerce stack and load a custom checkout SDK that renders a fraudulent Stripe payment iframe. Stolen card data is exfiltrated over encrypted WebSocket connections using AES-256-GCM encryption to a single server located in Moldova. The campaign has been active since August 2025, and includes a live 3D Secure relay when a victim's bank triggers a verification challenge, the attacker proxies it back through the fake iframe so the transaction completes successfully and the theft remains invisible to the cardholder.

Resources

Comments

Post a Comment

Popular posts from this blog

Hackers Exploit MinIO Storage System Vulnerabilities to Compromise Servers

-
Image
An unknown threat actor has been observed weaponizing high-severity security flaws in the MinIO high-performance object storage system to achieve unauthorized code execution on affected servers. Cybersecurity and incident response firm Security Joes said the intrusion leveraged a publicly available exploit chain to backdoor the MinIO instance. The comprises  CVE-2023-28432  (CVSS score: 7.5) and  CVE-2023-28434  (CVSS score: 8.8), the former of which was added to the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog on April 21, 2023. The two vulnerabilities "possess the potential to expose sensitive information present within the compromised installation and facilitate remote code execution (RCE) on the host where the MinIO application is operational," Security Joes said in a report shared with The Hacker News. In the attack chain investigated by the company, the flaws are said to have be...
Read more

Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution

-
Image
Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution By : Rei Ibraima A newly discovered critical vulnerability in Veeam’s Backup & Replication software, designated as CVE-2025-23120, poses a significant security risk to enterprise environments. The flaw allows authenticated domain users to execute arbitrary code remotely, potentially leading to full compromise of backup infrastructures. About CVE-2025-23120 The vulnerability arises from an insecure deserialization issue within Veeam Backup & Replication components—particularly in the .NET classes Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary. Improper input validation in these components allows attackers to inject malicious serialized objects that are executed on the server side, resulting in Remote Code Execution (RCE). This issue affects systems where Veeam Backup & Replication is deployed in a domain-joined configuration, which—while common—is...
Read more

Claude Mythos Wake-Up Call: What AI Vulnerability Discovery Means for Cyber Defense

-
Image
  Last week, the industry learned that Anthropic was developing Claude Capybara, also called Mythos, a powerful new AI model with substantially improved capabilities in vulnerability discovery, exploit development, and multi-step attack reasoning. While the details emerged through a data leak rather than a formal launch, the market response was unmistakable: AI has crossed a critical cyber security threshold. The frontier models are accelerating attack lifecycles and will enable attackers to identify and exploit vulnerabilities at scale, speed and through novel methods that previously were the domain of advanced nation state entities. For security leaders, this development is both a warning and a call to action. It crystallizes a trend we’ve been closely monitoring and preparing for: the democratization and industrialization of cyber attacks. Two Structural Shifts Redefining Cyber Risk Claude Mythos is the early signal of two profound shifts in the threat landscape: 1.  ...
Read more