"This is due to the Calculation Addon's process_filter() function concatenating user-submitted form field values into a PHP code string without proper escaping before passing it to eval()," Wordfence said — a terse explanation of a bug that, exploited in the wild, has handed remote code execution to unauthenticated attackers.
CVE-2026-3300 and Everest Forms Pro
A critical remote code execution vulnerability tracked as CVE-2026-3300 (CVSS 9.8) affects Everest Forms Pro in all releases up to and including 1.9.12. The plugin — with roughly 4,000 active installations — received a patch on March 18, 2026, with the release of version 1.9.13. Wordfence described the root cause as unsafe construction of PHP code strings inside the plugin's Calculation Addon.
How the Calculation Addon enables arbitrary PHP execution
According to Wordfence, the Calculation Addon's process_filter() function concatenates user-submitted form field values into a PHP code string and then passes that string to eval() without proper escaping. Wordfence added that the sanitize_text_field() function applied to input "does not escape single quotes or other PHP code context characters." When a form uses the "Complex Calculation" feature, an unauthenticated attacker can submit a crafted value in any string-type form field (text, email, URL, select, radio) and inject arbitrary PHP code on the server.
Observed exploitation: scale, indicators, and payloads
Wordfence reported that exploitation activity began on April 13, 2026. Defenses have blocked more than 29,300 exploit attempts to date, with 16 attempts recorded in the last 24 hours. The most common payload seen in these attempts seeks to create an administrator account named "diksimarina" using the email address diksimarina@gmail.com. Observed source addresses for these attacks include:
- 202.56.2.126
- 209.146.60.26
- 15.235.166.18
- 2402:1f00:8000:800::40db
- 185.78.165.153
Successful exploitation, Wordfence noted, could permit unauthenticated actors to create rogue administrator accounts, deploy web shells, and "open other ways to burrow deeper into the server and establish persistent footholds."
Skimmer campaigns abusing Stripe and Google Tag Manager
Separately, Sansec disclosed multiple skimmer operations that repurpose trusted services as command-and-control (C2) and exfiltration infrastructure. One campaign uses Google Tag Manager (GTM) and Stripe domains (googletagmanager.com and api.stripe.com), relying on the fact that e-commerce sites commonly trust those endpoints. Sansec wrote: "The attacker treats Stripe as free infrastructure, not a way to launder charges." The attacker stores an obfuscated skimmer inside a Stripe customer account metadata field (the report cites customer ID "cus_TfFjAAZQNOYENR") and loads malicious code from a GTM container so it executes on every page that includes the container.
On Magento and Adobe Commerce checkout pages, the loader extracts the skimmer from the Stripe customer metadata, saves captured card data and customer details to localStorage, then exfiltrates the data back to the attacker's Stripe account. Sansec summarized the abuse: "Every stolen card becomes a 'customer' in the attacker's account." The customer record containing the skimmer in this campaign was created on December 24, 2025, suggesting the operation may have been active since then. Sansec also identified a second loader variant that uses Google Firestore rather than Stripe for the same purpose.
The Stripe/Firestore method is one of several techniques observed alongside a larger operation called GorgonAgora. That campaign runs thousands of fake .shop storefronts (5,714 in Sansec's count) impersonating brands such as Starbucks, Ford, Sony, Mattel, Hasbro, Lego, Disney, and Toyota, and funnels stolen card data to a single skimmer server in Moldova. According to Sansec, each store loads the same Medusa.js commerce stack and a custom checkout SDK that renders a fake Stripe iframe; exfiltration runs over WebSocket with an AES-256-GCM payload, and the C2 maintains a live 3D Secure relay so an operator can proxy 3DS challenges back to the shopper and complete fraudulent transactions.
What this means for WordPress administrators, e-commerce merchants, and security teams
- WordPress administrators and plugin maintainers — Patch Everest Forms Pro to version 1.9.13 (released March 18, 2026) and inspect sites for the common indicators listed by Wordfence, including the creation of an administrator account named "diksimarina" or unknown web shells.
- E-commerce merchants using GTM, Stripe, Magento, or Adobe Commerce — Review GTM containers for unauthorized tags, inventory Stripe customer metadata for unexpected entries (the report cited customer ID "cus_TfFjAAZQNOYENR" as a carrier for skimmer code), and monitor checkout pages for code that writes sensitive data to localStorage or contacts unfamiliar endpoints.
- Security teams and incident responders — Correlate blocked exploit counts and source IPs (listed above) with logs dating back to April 13, 2026; look for signs of persistent footholds created via web shells or rogue admin users; and be alert for encrypted WebSocket exfiltration and 3DS relay activity consistent with the GorgonAgora description.
Two parallel threads run through these findings: a classic plugin-level remote code execution that weaponizes a calculation feature, and creative misuse of trusted third-party platforms to hide skimmers and exfiltrate payment data. Both rely on implicit trust — in plugin logic and in widely trusted domains — and both have been active in the wild. Defenders now face a concrete set of artifacts, timestamps, and indicators to hunt for, and a clear, near-term task: apply the Everest Forms Pro update and audit trusted third-party integrations that touch payment flows.
https://thehackernews.com/2026/06/hackers-exploit-critical-everest-forms.html
