Dominic Jainy is an IT professional whose career has been defined by a deep curiosity for the structural integrity of the digital world. With extensive expertise in artificial intelligence, machine learning, and blockchain, he has spent years analyzing how complex systems can be both optimized and exploited. Dominic brings a uniquely holistic perspective to cybersecurity, often looking beyond the immediate code to the broader architectural implications of emerging threats. Today, he joins us to dissect the mechanics of recent high-profile vulnerabilities and the evolving landscape of e-commerce exploitation.
In this discussion, we explore the critical remote code execution vulnerability found within the Everest Forms Pro WordPress plugin and the frighteningly effective ways threat actors are now utilizing trusted platforms like Stripe for command-and-control operations. We also delve into the massive scale of the GorgonAgora campaign, which leverages thousands of fake storefronts and sophisticated real-time relays to bypass modern banking security measures.
How does a standard calculation feature in a popular plugin like Everest Forms Pro end up providing a direct path for unauthenticated attackers to seize complete control of a website?
The vulnerability within Everest Forms Pro, specifically identified as CVE-2026-3300, is a classic example of what happens when convenience outpaces security validation. The issue resides in the Calculation Addon’s process_filter() function, which was designed to handle user-submitted data for complex mathematical operations. However, the plugin failed to properly escape single quotes or other PHP context characters before passing those values into an eval() function, which is essentially giving the server a blank check to run whatever code is provided. While the developers utilized the sanitize_text_field() function, this specific filter is insufficient because it doesn’t strip out the characters necessary to break out of a PHP string and inject malicious commands. For the approximately 4,000 active installations, this meant that an unauthenticated attacker could simply fill out a form field—whether it be a text box, an email field, or even a radio button—with a crafted payload to gain a persistent foothold. We have already seen the real-world fallout of this, with over 29,300 exploit attempts blocked to date, many of which were specifically designed to create a rogue administrator account under the name “diksimarina.”
The recent discovery of attackers using Stripe as a command-and-control infrastructure represents a clever shift in tactics; what makes this method so difficult for traditional security filters to catch?
This campaign is particularly insidious because it weaponizes “implicit trust,” a concept that many modern web security protocols rely on too heavily. By using api.stripe.com as a data exfiltration sink, attackers are essentially hiding their malicious traffic in plain sight among the thousands of legitimate financial requests a store handles every day. Most Content Security Policy (CSP) rules and network filters are configured to trust major domains like Stripe and Google Tag Manager by default, meaning the malicious code is allowed to execute without a second thought from the server’s defense systems. The technical execution is brilliant in its simplicity: the attacker stores an obfuscated skimmer within the metadata field of a Stripe customer account, such as the one identified as “cus_TfFjAAZQNOYENR,” and then uses that same API to pull the code and push stolen data. Since the stolen credit card information and billing addresses are saved to the victim’s own localStorage before being exfiltrated to the attacker’s Stripe account, it avoids many of the red flags associated with strange outbound connections to unknown IP addresses. This strategy essentially turns Stripe’s robust, writable database into a free, durable, and highly reputable hosting endpoint for criminal activity that has been operational since at least late 2025.
With over 5,000 fake storefronts involved in the GorgonAgora operation, how are these actors managing to maintain such a high level of technical sophistication, particularly regarding the 3D Secure relay?
The GorgonAgora operation is a massive undertaking that demonstrates a corporate level of organization, utilizing a cluster of 5,714 fake storefronts to impersonate global brands like Sony, Lego, and Starbucks. What sets this apart is the use of a unified commerce stack—specifically Medusa.js—which allows them to deploy a custom checkout SDK across all these sites with terrifying efficiency. The most alarming aspect of their technical prowess is the live 3D Secure (3DS) relay, which allows the attackers to bypass the very security measures designed to prevent unauthorized transactions. When a victim’s bank triggers a 3DS challenge, the operator captures that challenge and proxies it in real-time back to the shopper through a fake Stripe iframe, making the entire theft feel like a legitimate, secure transaction. By exfiltrating card data over an encrypted WebSocket with an AES-256-GCM payload to a single server in Moldova, they ensure that the data remains protected from prying eyes while it is being harvested. This level of synchronization, which has been ongoing since August 2025, shows that we are no longer dealing with lone hackers, but with a sophisticated infrastructure capable of maintaining invisible, persistent theft at a global scale.
What is your forecast for the future of trusted-service abuse?
I believe we are entering an era where the concept of a “trusted domain” will become a liability rather than a security shortcut. As we have seen with the Stripe and Google Firestore exploits, attackers are moving away from building their own suspicious infrastructure and are instead piggybacking on the reputation of the world’s most reliable services. In the next few years, I expect to see a surge in “Living off the API” attacks, where malicious actors use the legitimate features of cloud providers, communication tools, and payment gateways to host their entire attack lifecycle. This will force a fundamental shift in how we approach web security, moving away from simple allow-lists and toward a model of zero-trust at the data layer, where even a connection to a “safe” domain like Google or Stripe is treated with continuous scrutiny. We will likely see more sophisticated obfuscation techniques that hide malicious payloads within the routine metadata of these services, making the detection of a breach more about identifying behavioral anomalies than blocking specific URLs. To survive this shift, organizations will need to implement much more granular monitoring of what data is being sent and received, regardless of how reputable the destination appears to be.