[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fe5eGfe9jZCsxIARJ2sm-4QegNmMnrD7-ty--EY7Gt5g":3},{"article":4,"iocs":42},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":31,"category":32,"article_tags":36},"6f54da22-74f4-4be5-921c-0f9e72819a80","Hackers Exploit Critical Everest Forms Pro WordPress Plugin Flaw to Take Over Sites","hackers-exploit-critical-everest-forms-pro-wordpress-plugin-flaw-to-take-over-si-f0f98f","Threat actors are actively exploiting a critical security flaw in Everest Forms Pro, a WordPress plugin with about 4,000 active installations, to execute arbitrary code, leading to a complete site compromise. The vulnerability in question is CVE-2026-3300 (CVSS score: 9.8), a remote code execution bug impacting all versions of the plugin up to, and including, 1.9.12. A patch for the flaw was","Threat actors are actively exploiting CVE-2026-3300, a critical remote code execution flaw in Everest Forms Pro WordPress plugin (affecting versions up to 1.9.12), to execute arbitrary PHP code and take over websites. The vulnerability stems from improper escaping of user input in the Calculation Addon's process_filter() function before passing it to eval(). Over 29,300 exploit attempts have been blocked since active exploitation began on April 13, 2026, with attackers commonly attempting to create administrator accounts named 'diksimarina'.","Critical RCE vulnerability in Everest Forms Pro WordPress plugin actively exploited to compromise sites.","Hackers Exploit Critical Everest Forms Pro WordPress Plugin Flaw to Take Over Sites Ravie LakshmananJun 05, 2026Web Security \u002F Vulnerability Threat actors are actively exploiting a critical security flaw in Everest Forms Pro, a WordPress plugin with about 4,000 active installations, to execute arbitrary code, leading to a complete site compromise. The vulnerability in question is CVE-2026-3300 (CVSS score: 9.8), a remote code execution bug impacting all versions of the plugin up to, and including, 1.9.12. A patch for the flaw was released on March 18, 2026, with version 1.9.13. \"This is due to the Calculation Addon's process_filter() function concatenating user-submitted form field values into a PHP code string without proper escaping before passing it to eval(),\" Wordfence said. \"The sanitize_text_field() function applied to input does not escape single quotes or other PHP code context characters. This makes it possible for unauthenticated attackers to inject and execute arbitrary PHP code on the server by submitting a crafted value in any string-type form field (text, email, URL, select, radio) when a form uses the 'Complex Calculation' feature.\" Successful exploitation of the vulnerability could allow unauthenticated bad actors to execute arbitrary PHP code on the server, permitting them to create rogue administrator accounts, deploy web shells, and open other ways to burrow deeper into the server and establish persistent footholds. According to the WordPress security company, attackers have been observed exploiting the flaw starting April 13, 2026. More than 29,300 exploit attempts targeting the defect have been blocked to date. Of these, 16 attack attempts occurred in the last 24 hours. The most common payload involves attempts to create an administrator account named \"diksimarina\" (email address: diksimarina@gmail.com) on the compromised site. These attack efforts have originated from the following IP addresses - 202.56.2.126 209.146.60.26 15.235.166.18 2402:1f00:8000:800::40db 185.78.165.153 Skimmer Attacks Exploit Stripe for C2 The disclosure comes as Sansec warned of multiple skimmer campaigns, including one that uses Stripe as a command-and-control (C2) server and a data exfiltration sink in a bid to exploit the reputation of the brand and slip past Content Security Policy rules and network filters. \"The attacker treats Stripe as free infrastructure, not a way to launder charges,\" Sansec noted. \"Stripe gives them a writable database for stolen cards and a code-hosting endpoint for the skimmer, both behind a domain that CSP rules and network filters trust by default.\" The campaign relies on Google Tag Manager (GTM) and Stripe domains - googletagmanager.com and api.stripe.com - which are both trusted implicitly by online stores, with the malicious code loaded from a GTM container and executed on every page that loads it. On Magento and Adobe Commerce checkout pages, it extracts an obfuscated skimmer from a Stripe customer account's (\"cus_TfFjAAZQNOYENR,\" in this case) metadata field, and saves the financial information, billing and email addresses, and phone numbers entered by unsuspecting users to localStorage. The captured data is then exfiltrated back to the attacker's Stripe account. \"Every stolen card becomes a 'customer' in the attacker's account,\" the e-commerce security company said. \"On success, the loader deletes the localStorage entry, so the same record is not sent twice. The attacker lists their stolen cards later by calling the same API with the same key. Stripe's customer database becomes a free, durable exfiltration sink.\" The Stripe customer record containing the skimmer is said to have been created on December 24, 2025, indicating that the operation may have been active since then. Sansec said it also identified a second variant of the loader that uses Google Firestore instead of Stripe, although the end goal is the same: abuse a trusted service as a covert channel that's unlikely to be blocked by e-commerce stores. The findings coincide with a large-scale operation dubbed GorgonAgora that has used a cluster of 5,714 fake .shop storefronts impersonating brands like Starbucks, Ford, Sony, Mattel, Hasbro, Lego, Disney, and Toyota, whose checkout pages funnel stolen card data to a single skimmer server in Moldova. The campaign has been ongoing since August 2025. \"Every store runs the same Medusa.js commerce stack and loads the same custom checkout SDK, which renders a fake Stripe iframe and exfiltrates card data over an encrypted WebSocket to a single server in Moldova,\" the Dutch company said. \"Exfiltration runs over WebSocket with an AES-256-GCM payload, and the C2 maintains a live 3D Secure relay: when the victim bank returns a 3DS challenge, the operator proxies it back to the shopper through the fake iframe so the transaction completes and the theft stays invisible.\" Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Adobe Commerce, cybersecurity, Magento, remote code execution, Stripe, Vulnerability, Web Skimmer, WordPress ⚡ Top Stories This Week Google June 2026 Android Update Patches 124 Flaws, One Actively Exploited Oracle WebLogic CVE-2024-21182 Added to KEV Catalog After Active Exploitation Dashlane Discloses Brute-Force Attack, Encrypted Vaults of Fewer Than 20 Users Downloaded Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm ⚡ Weekly Recap: New Linux Flaw, PAN-OS Exploit, AI-Powered Attacks, OAuth Phishing and More OpenAI Codex Authentication Tokens Stolen in codexui-android npm Supply Chain Attack PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation ChatGPhish Vulnerability Turns ChatGPT Web Summaries Into a Phishing Surface Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer Microsoft Slams Public Zero-Day Disclosures Amid GitHub Researcher Account Removal ThreatsDay Bulletin: Claude Security Plugin, Azure Priv-Esc, Kali365 MFA Bypass, FIFA Scams +15 More Malicious npm Package Stole Files From Claude AI User Directory via GitHub GlassWorm Malware Takedown Disrupts Developer Supply Chain Attack Infrastructure AI Chatbot Recommendations Redirect Users to Cryptojacking Malware Sites Microsoft Patches SharePoint RCE Flaw CVE-2026-45659 Across Server Versions ⭐ Featured Resources Your Employees Are Using AI in Ways You Can’t See – 2026 State of AI Report Learn How to Stop Attacks Before They Reach Your EDR – With PHASR Watch AI Turn Vulnerabilities Into Working Exploits in Minutes (See the Demo) [Guide] The Real Security Risks of Shadow AI (And Where You’re Exposed)","https:\u002F\u002Fthehackernews.com\u002F2026\u002F06\u002Fhackers-exploit-critical-everest-forms.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEjgKOwHRwFSrcOI7vBYVGbebtc3DwR3w7SYc9l7FUXp1yXc_N2MbNNlEXtfRjVneU4wz2YB8PqC_k54o_6ZpB2oKZKhVBlK7IC-CGU05B5GgE7qS26MBxKIWLZTC2rNhVf2vufJcwh7RK4zuH-twWCcd_eZtNm25Pmn-pQyOXcB7N_C9918yOP7C1K4KrNz\u002Fs1600\u002Fwordpress.jpg","2026-06-05T08:38:59+00:00","2026-06-05T10:00:14.949107+00:00",9,[18,21,23,26,29],{"name":19,"type":20},"Everest Forms Pro","product",{"name":22,"type":20},"WordPress",{"name":24,"type":25},"Wordfence","vendor",{"name":27,"type":28},"Google Tag Manager","technology",{"name":30,"type":28},"Stripe","80544778-fabb-4dcd-aa35-17492e5dcf4f",{"id":31,"icon":33,"name":34,"slug":35},null,"Vulnerabilities","vulnerabilities",[37],{"category":38},{"id":39,"icon":33,"name":40,"slug":41},"26b0b636-0e31-4db1-bffb-61bdf9f20a58","Supply Chain","supply-chain",[43,47,51,53,55,57],{"type":44,"value":45,"context":46},"cve","CVE-2026-3300","Critical RCE vulnerability in Everest Forms Pro WordPress plugin, CVSS 9.8",{"type":48,"value":49,"context":50},"ip","202.56.2.126","Source IP for exploit attempts targeting Everest Forms Pro vulnerability",{"type":48,"value":52,"context":50},"209.146.60.26",{"type":48,"value":54,"context":50},"15.235.166.18",{"type":48,"value":56,"context":50},"185.78.165.153",{"type":58,"value":59,"context":60},"email","diksimarina@gmail.com","Common payload email used in account creation attempts during exploitation"]