Critical Everest Forms Pro RCE lets attackers add admins

A remote code execution flaw in Everest Forms Pro is tracked as CVE-2026-3300 with a CVSS score of 9.8. The bug affects all versions up to 1.9.12. A patch was released in version 1.9.13 on March 18, 2026.

The defect is in the Calculation Addon’s process_filter() function. That routine concatenates user-submitted form field values into a PHP string and passes the result to eval() without escaping characters such as single quotes. The plugin applies sanitize_text_field(), which does not escape characters used in PHP code context. When a form uses the Complex Calculation feature, an unauthenticated attacker can submit crafted values in any string-type field — text, email, URL, select or radio — to trigger arbitrary PHP execution on the server.

Security firm Wordfence reported exploitation beginning April 13, 2026. The company has blocked more than 29,300 exploit attempts to date, with 16 attempts detected in the last 24 hours. The most common payload attempts to create an administrator account with the username “diksimarina” and the email [email protected]. Observed attack sources include IPs 202.56.2.126, 209.146.60.26, 15.235.166.18, 2402:1f00:8000:800::40db and 185.78.165.153. Successful exploitation can add admin users, deploy web shells and establish persistent access.

Site operators should install Everest Forms Pro 1.9.13 immediately. Where updating is not possible, disabling the Complex Calculation feature or removing the plugin reduces risk. The plugin has about 4,000 active installations.

Separately, e-commerce security firm Sansec identified skimmer campaigns that abuse trusted services as command-and-control and exfiltration channels. In one campaign, a loader retrieves an obfuscated skimmer from the metadata field of a Stripe customer record, runs it from a Google Tag Manager container, stores captured card and contact data in localStorage, then exfiltrates the data back to the attacker’s Stripe account. Sansec found a customer record created on December 24, 2025, that contained a skimmer.

Sansec also identified a variant that uses Google Firestore for the same purpose and linked the activity to a broader operation called GorgonAgora. That operation used thousands of fake .shop storefronts running a Medusa.js commerce stack and a custom checkout SDK to render fake Stripe iframes and send stolen card data over an encrypted WebSocket to a server in Moldova. The exfiltration used AES-256-GCM and included a live 3D Secure relay to pass bank challenges through the fake iframe.

Operators and hosts should check access logs for the “diksimarina” account and signs of web shells, verify plugin versions, and audit checkout integrations for unexpected GTM containers or Stripe customer records that may contain skimmers. The vulnerability is logged as CVE-2026-3300 with a 9.8 severity score.