Critical Everest Forms Pro Flaw Under Active Exploit

If you are running Everest Forms Pro on your WordPress site, you need to stop reading and update right now. Regarding Everest Forms Pro vulnerability, Hackers are actively exploiting a critical security hole that could give them complete control of your website.

What Happened and Why It Matters to Your Site

The vulnerability, tracked as CVE-2026-3300, affects all versions of Everest Forms Pro up to version 1.9.12. This plugin has about 4,000 active installations. The security researchers at Wordfence discovered that attackers have been hammering sites with this exploit since April 13, 2026.

Here is the problem: the plugin’s Calculation Addon has a flaw in how it processes form submissions. Specifically, the process_filter() function does not properly sanitize user input before running it as PHP code. This means anyone can submit a malicious form entry and execute their own code on your server without needing to log in first.

The severity score sits at 9.8 out of 10, which is about as serious as it gets. Unauthenticated attackers can exploit this remotely, meaning they do not need any access to your site beforehand. They just need to find a form using the Complex Calculation feature.

What Attackers Are Actually Doing

Wordfence has blocked over 29,300 exploit attempts targeting this flaw so far. In just the last 24 hours, they stopped 16 additional attacks. The most common attack creates a rogue administrator account with the username “diksimarina” and email address diksimarina@gmail.com.

Once attackers create that administrator account, they have full control of your site. They can install web shells, modify your content, steal customer data, or use your server as a launching point for other attacks. Essentially, your site becomes their site.

Security researchers identified several IP addresses actively launching these attacks, including 202.56.2.126, 209.146.60.26, 15.235.166.18, 2402:1f00:8000:800::40db, and 185.78.165.153. However, blocking these specific addresses will not solve the underlying problem.

How to Protect Your Site Right Now

The plugin developer released a patch on March 18, 2026, with version 1.9.13. If you are running Everest Forms Pro, update to this version immediately. Do not wait until tomorrow or next week. This is happening right now, and your site could be next.

Log into your WordPress dashboard, navigate to Plugins, and check your installed version of Everest Forms Pro. If you see anything below 1.9.13, update it immediately. Additionally, scan your user accounts for any suspicious administrator accounts, especially one named “diksimarina.”

If you find that unauthorized account or any other suspicious admin users, delete them right away. Then, change all your administrator passwords and consider enabling two-factor authentication if you have not already.

Related Security Threats: Stripe and Firestore Abuse

While we are discussing serious security issues, there is another threat making waves in the WordPress and e-commerce world. Security researchers at Sansec discovered hackers using Stripe and Google Firestore as command-and-control servers for payment skimming operations.

The attackers treat these trusted services as free infrastructure. They load malicious code through Google Tag Manager containers, which most sites trust by default. On checkout pages, the skimmer extracts payment card data, billing addresses, and customer information, then saves it to the attacker’s Stripe customer database.

This approach is particularly clever because Content Security Policy rules and network filters typically trust domains like api.stripe.com and googletagmanager.com. The malicious code hides in plain sight, operating behind domains that security tools assume are legitimate.

The Scale of These Skimming Operations

Sansec traced one skimmer campaign back to December 24, 2025, indicating months of undetected operation. In a separate but related threat called GorgonAgora, attackers created 5,714 fake online stores impersonating major brands like Starbucks, Ford, Sony, and Disney.

These fake storefronts use sophisticated techniques to steal payment information. They render fake Stripe iframes and relay live 3D Secure challenges back to victims, making the theft nearly invisible. All stolen data flows to a single command server located in Moldova.

The operation uses AES-256-GCM encryption over WebSocket connections, making detection extremely difficult. When a bank returns a security challenge, the attackers proxy it back through the fake interface so transactions complete normally and victims never suspect anything happened.

What This Means for Your Business

These attacks represent a shift in how hackers operate. They are not just exploiting obscure vulnerabilities anymore. Instead, they are weaponizing trusted services and exploiting plugins with relatively small user bases, betting that many site owners will not hear about the vulnerability or delay patching.

If you use Everest Forms Pro, this affects you directly. Update immediately and check for unauthorized accounts. If you run an online store, review your Content Security Policy rules and consider additional monitoring for your checkout process.

For sites on managed WordPress care plans, these updates typically happen automatically. However, if you manage your own updates, set a calendar reminder to check for security patches weekly. Waiting even a few days can be the difference between a secure site and a compromised one.

The Bottom Line

The Everest Forms Pro vulnerability is not theoretical. Attackers are actively exploiting it right now, and they have been since mid-April. More than 29,000 blocked attacks tell you everything you need to know about how aggressively hackers are targeting this flaw.

Update to version 1.9.13 today. Check your administrator accounts for anything suspicious. If you are not confident handling this yourself, reach out to your developer or hosting provider. This is exactly the kind of threat that managed WordPress services exist to handle automatically.

The skimmer campaigns using Stripe and Firestore show that threats are becoming more sophisticated and harder to detect. Trusting a plugin or service does not mean you can ignore updates and security monitoring. Your business depends on your website working correctly and securely. Treat these warnings accordingly.

Original Source: thehackernews.com