A critical remote code execution flaw in Everest Forms Pro (CVE-2026-3300) affects all versions up to 1.9.12, enabling unauthenticated attackers to execute arbitrary PHP code and take over WordPress sites; a patch in 1.9.13 was released on March 18, 2026.

Exploitation occurs via the plugin’s Calculation Addon and Complex Calculation feature, leveraging process_filter() and insufficient input escaping to inject and run PHP code.

Threat campaigns are abusing trusted services like Stripe, GTM, and Firestore to bypass CSPs and network filters, illustrating a broader pattern of data theft through legitimate infrastructure.

Attacker infrastructure includes IPs such as 202.56.2.126, 209.146.60.26, 15.235.166.18, 2402:1f00:8000:800::40db, and 185.78.165.153.

Defenders should monitor for indicators of compromise, review administrator accounts, and check logs for anomalous form submissions and PHP execution attempts, including the distinctive string “diksimarina.”

Malicious activity has been ongoing since mid-April, with over 29,300 exploit attempts blocked and 16 attempts in the last 24 hours, including attempts to create a rogue administrator account named diksimarina.

Separately, skimmer operations labeled GorgonAgora use fake storefronts (.shop domains) to capture card data and exfiltrate through a centralized Moldova server, employing WebSocket and AES-256-GCM with a 3DS relay to complete transactions.

Exploits can create rogue administrator accounts (e.g., username diksimarina), granting full control to modify content, install backdoors or webshells, and access databases.

Everest Forms released a patch on March 18 after disclosure to Wordfence; Wordfence recommends blocking affected IPs and reviewing logs and admin accounts for suspicious activity.

The overall impact includes unauthorized admin access and widespread card data theft through compromised e-commerce workflows, underscoring the need to patch Everest Forms Pro and monitor related skimmer activity.

Skimmer campaigns also abuse Stripe as a command-and-control and data exfiltration sink, loading malicious code via GTM and Stripe domains and exfiltrating card data through localStorage, with variants targeting Stripe or Firestore.

Active exploitation began around mid-April, with Wordfence firewall logging more than 29,000 blocked attempts; primary activity traced to two IPs (202.56.2.126 and 209.146.60.26).