## WordPress Plugin RCE Under Active Exploitation Threat actors are actively leveraging a critical security flaw in **Everest Forms Pro**, a popular **WordPress** plugin with approximately 4,000 active installations. This exploitation allows for arbitrary code execution, potentially leading to a complete compromise of affected websites. The vulnerability, tracked as **CVE-2026-3300** (CVSS score: 9.8), is a remote code execution (RCE) bug affecting all versions of the plugin up to and including 1.9.12. A patch was released on March 18, 2026, with version 1.9.13. According to **Wordfence**, the flaw stems from the `Calculation Addon's process_filter()` function. This function concatenates user-submitted form field values into a PHP code string without proper escaping before passing it to `eval()`, as detailed in their [blog post](https://www.wordfence.com/blog/2026/06/attackers-actively-exploiting-critical-vulnerability-in-everest-forms-pro-plugin/). "The `sanitize_text_field()` function applied to input does not escape single quotes or other PHP code context characters," **Wordfence** explained. "This makes it possible for unauthenticated attackers to inject and execute arbitrary PHP code on the server by submitting a crafted value in any string-type form field (text, email, URL, select, radio) when a form uses the 'Complex Calculation' feature." Successful exploitation grants unauthenticated attackers the ability to execute arbitrary PHP code on the server. This can lead to the creation of rogue administrator accounts, deployment of web shells, and the establishment of persistent footholds for deeper server infiltration. Attackers began exploiting this vulnerability on April 13, 2026. **Wordfence** reports blocking over 29,300 exploit attempts to date, with 16 attempts occurring within the last 24 hours. A common payload observed involves creating an administrator account named "diksimarina" with the email address [email protected] on compromised sites, as noted in their [threat intelligence](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/everest-forms-pro/everest-forms-pro-1912-unauthenticated-remote-code-execution-via-calculation-field). Observed attack attempts have originated from the following IP addresses: * 202.56.2.126 * 209.146.60.26 * 15.235.166.18 * 2402:1f00:8000:800::40db * 185.78.165.153  ## E-commerce Skimmer Attacks Exploit Trusted Services for C2 In related news, **Sansec** has revealed multiple skimmer campaigns that ingeniously leverage trusted services like **Stripe** for command-and-control (C2) and data exfiltration. This tactic exploits the reputation of these brands to bypass **Content Security Policy** (CSP) rules and network filters. "The attacker treats **Stripe** as free infrastructure, not a way to launder charges," **Sansec** noted in their [research](https://sansec.io/research/stripe-api-skimmer-infrastructure). "**Stripe** gives them a writable database for stolen cards and a code-hosting endpoint for the skimmer, both behind a domain that CSP rules and network filters trust by default." These campaigns rely on **Google Tag Manager** (GTM) and **Stripe** domains (googletagmanager.com and api.stripe.com), which are implicitly trusted by online stores. Malicious code is loaded from a GTM container and executed on every page where it's present. On **Magento** and **Adobe Commerce** checkout pages, an obfuscated skimmer is extracted from a [Stripe customer account's](https://docs.stripe.com/api/customers/) metadata field (e.g., "cus_TfFjAAZQNOYENR"). It then saves financial information, billing details, email addresses, and phone numbers to [localStorage](https://developer.mozilla.org/en-US/docs/Web/API/Window/localStorage) before exfiltrating the captured data back to the attacker's **Stripe** account. "Every stolen card becomes a 'customer' in the attacker's account," the e-commerce security company stated. "On success, the loader deletes the `localStorage` entry, so the same record is not sent twice. The attacker lists their stolen cards later by calling the same API with the same key. **Stripe**'s customer database becomes a free, durable exfiltration sink." The **Stripe** customer record containing the skimmer was reportedly created on December 24, 2025, suggesting a long-running operation. **Sansec** also identified a variant using **Google Firestore** instead of **Stripe**, demonstrating a broader strategy to abuse trusted services as covert channels. These findings coincide with a large-scale operation dubbed **GorgonAgora**, which has utilized a cluster of 5,714 fake .shop storefronts. These imposter sites mimic popular brands like Starbucks, Ford, Sony, Mattel, Hasbro, Lego, Disney, and Toyota, funneling stolen card data from their checkout pages to a single skimmer server in Moldova. This campaign has been active since August 2025, as detailed in [Sansec's report](https://sansec.io/research/gorgonagora-fake-storefront-skimming-network). "Every store runs the same **Medusa.js** commerce stack and loads the same custom checkout SDK, which renders a fake **Stripe** iframe and exfiltrates card data over an encrypted WebSocket to a single server in Moldova," the Dutch company detailed. Exfiltration within **GorgonAgora** uses WebSocket with an **AES-256-GCM** payload. The C2 infrastructure maintains a live **3D Secure** relay, proxying bank challenges back to the shopper through the fake iframe to complete transactions and keep the theft invisible.