- A critical vulnerability (CVE-2026-3300) in the Everest Forms Pro WordPress plugin is being actively exploited for remote code execution, compromising sites with about 4,000 active installations.
- Attackers have initiated over 29,300 exploit attempts since April 13, 2026, primarily to create rogue administrator accounts on compromised servers.
- Separately, sophisticated e-commerce skimmer campaigns are abusing trusted services like Stripe and Google Tag Manager as covert command-and-control infrastructure to steal payment data.
- A large-scale operation dubbed GorgonAgora uses thousands of fake storefronts impersonating major brands to funnel stolen card data to a server in Moldova.
Cybercriminals are actively targeting a critical security flaw in the Everest Forms Pro WordPress plugin, exploiting it to gain complete control over websites since mid-April 2026, according to reports. The vulnerability, a remote code execution bug with a maximum severity score, allows unauthenticated attackers to inject and execute arbitrary PHP code on vulnerable servers.
The flaw exists in the plugin’s “Complex Calculation” feature, where user input is improperly handled before being passed to the eval() function. Consequently, successful exploitation enables threat actors to create administrator accounts, deploy web shells, and establish persistent access to infected systems. Over 29,300 exploit attempts have been blocked, with 16 attacks recorded in the last day alone.
Meanwhile, separate e-commerce skimmer campaigns are abusing trusted platforms for data theft, as noted by security researchers. One campaign uses Stripe as a free command-and-control server and database, leveraging its trusted domain to bypass security filters and exfiltrate stolen payment details. The malicious code, loaded via Google Tag Manager, extracts an obfuscated skimmer from a Stripe customer account’s metadata field.
On checkout pages, the skimmer captures financial and personal data, storing it locally before sending it back to the attacker’s Stripe account. “Every stolen card becomes a ‘customer’ in the attacker’s account,” researchers explained, turning the payment processor’s infrastructure into a durable data sink. A second variant of this loader uses Google Firestore instead of Stripe for the same covert purpose.
In a related large-scale operation, a network of 5,714 fake .shop storefronts is impersonating major brands like Starbucks and Disney to steal card data, according to findings. Dubbed GorgonAgora, this campaign has been active since August 2025 and funnels information to a single server in Moldova. The fake checkout pages use a custom SDK to render a counterfeit Stripe iframe and exfiltrate encrypted data over a WebSocket connection.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
