Ethical Hacking News
Hackers have been exploiting a critical vulnerability in the popular WordPress plugin Everest Forms Pro, allowing them to execute arbitrary code on a server and gain complete control over compromised sites. The vulnerability has been patched with version 1.9.13, but users are urged to take immediate action to protect themselves from exploitation.
Hackers are exploiting a critical vulnerability in the WordPress plugin Everest Forms Pro, identified as CVE-2026-3300 with a CVSS score of 9.8. The vulnerability allows attackers to execute arbitrary code on a server, giving them complete control over the compromised site. More than 29,300 exploit attempts have been blocked since the vulnerability was reported on March 18, 2026. The most common payload involves attempting to create an administrator account named "diksimarina" on the compromised site. The vulnerability is due to a process_filter() function concatenating user-submitted form field values into a PHP code string without proper escaping before passing it to eval(). Successful exploitation of this vulnerability could allow attackers to take control of a site's backend and establish persistent footholds. Hackers are also exploiting a skimmer campaign that uses Stripe as a command-and-control server and a data exfiltration sink. The campaign targets Magento and Adobe Commerce checkout pages, extracting card data from Stripe customer accounts. The findings coincide with a large-scale operation dubbed GorgonAgora, which has been ongoing since August 2025. It is essential for WordPress plugin users to take immediate action to protect their sites from exploitation, as the vulnerability has been patched in version 1.9.13.
In a recent development that has sent shockwaves through the cybersecurity community, hackers have been exploiting a critical vulnerability in the popular WordPress plugin Everest Forms Pro. The vulnerability, identified as CVE-2026-3300 with a CVSS score of 9.8, allows attackers to execute arbitrary code on a server, giving them complete control over the compromised site.
The vulnerability was discovered by Wordfence, a leading WordPress security company, and was first reported on March 18, 2026. Since then, more than 29,300 exploit attempts have been blocked, with 16 of these attempts occurring in the last 24 hours alone. The most common payload involves attempting to create an administrator account named "diksimarina" (email address: diksimarina@gmail.com) on the compromised site.
According to Wordfence, the vulnerability is due to a process_filter() function concatenating user-submitted form field values into a PHP code string without proper escaping before passing it to eval(). The sanitize_text_field() function applied to input does not escape single quotes or other PHP code context characters. This makes it possible for unauthenticated attackers to inject and execute arbitrary PHP code on the server, permitting them to create rogue administrator accounts, deploy web shells, and open other ways to burrow deeper into the server and establish persistent footholds.
The successful exploitation of this vulnerability could allow attackers to take control of a site's backend, making it difficult for administrators to detect the attack. This is especially concerning, as many websites rely on plugins like Everest Forms Pro to manage their content and functionality.
In addition to the vulnerability in the WordPress plugin, hackers are also exploiting a skimmer campaign that uses Stripe as a command-and-control (C2) server and a data exfiltration sink. The campaign relies on Google Tag Manager (GTM) and Stripe domains, which are both trusted implicitly by online stores. The malicious code is loaded from a GTM container and executed on every page that loads it.
The skimmer attacks target Magento and Adobe Commerce checkout pages, where they extract an obfuscated skimmer from a Stripe customer account's metadata field. The captured data is then exfiltrated back to the attacker's Stripe account. According to Sansec, the e-commerce security company, "Every store runs the same Medusa.js commerce stack and loads the same custom checkout SDK, which renders a fake Stripe iframe and exfiltrates card data over an encrypted WebSocket to a single server in Moldova."
The findings coincide with a large-scale operation dubbed GorgonAgora that has used a cluster of 5,714 fake .shop storefronts impersonating brands like Starbucks, Ford, Sony, Mattel, Hasbro, Lego, Disney, and Toyota. The campaign has been ongoing since August 2025.
Threat actors are actively exploiting the vulnerability in Everest Forms Pro to execute arbitrary code, leading to a complete site compromise. This is due to the Calculation Addon's process_filter() function concatenating user-submitted form field values into a PHP code string without proper escaping before passing it to eval(). The sanitize_text_field() function applied to input does not escape single quotes or other PHP code context characters.
Successful exploitation of the vulnerability could allow unauthenticated bad actors to execute arbitrary PHP code on the server, permitting them to create rogue administrator accounts, deploy web shells, and open other ways to burrow deeper into the server and establish persistent footholds.
The attacker treats Stripe as free infrastructure, not a way to launder charges," Sansec noted. "Stripe gives them a writable database for stolen cards and a code-hosting endpoint for the skimmer, both behind a domain that CSP rules and network filters trust by default."
In light of this development, it is essential for WordPress plugin users to take immediate action to protect their sites from exploitation. The vulnerability has been patched with version 1.9.13, which can be downloaded from the official website.
In conclusion, the recent exploitation of a critical vulnerability in Everest Forms Pro highlights the ongoing threat landscape in the cybersecurity world. It is crucial for individuals and organizations to remain vigilant and take proactive measures to protect themselves against such attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Hackers-Exploit-Critical-Vulnerability-in-Everest-Forms-Pro-Plugin-to-Take-Over-Websites-ehn.shtml
https://thehackernews.com/2026/06/hackers-exploit-critical-everest-forms.html
https://nvd.nist.gov/vuln/detail/CVE-2026-3300
https://www.cvedetails.com/cve/CVE-2026-3300/
Published: Fri Jun 5 04:08:26 2026 by llama3.2 3B Q4_K_M
