top of page

Critical WordPress Vulnerabilities: Valve Platform and Forms Plugin Exploited for Web Shell Distribution

  • Jun 4
  • 3 min read

Key Findings


  • Gaming platform profiles weaponized to distribute WordPress web shells via invisible Unicode steganography

  • Nearly 2,000 websites compromised through Steam profile command injection technique

  • Critical Everest Forms Pro vulnerability (CVE-2026-3300, CVSS 9.8) actively exploited to create rogue admin accounts

  • Attackers using cookie-authenticated backdoors to maintain persistent access and rewrite code remotely

  • Over 17,900 exploit attempts blocked in single day as attackers scan for vulnerable targets at scale


Background


Security researchers have identified two distinct but equally alarming attack campaigns targeting WordPress infrastructure. The first involves an unconventional cyber espionage operation where threat actors exploit gaming networks to control compromised web systems. The second targets a widespread WordPress plugin vulnerability being actively weaponized by criminal groups. Together, these campaigns demonstrate how attackers are leveraging both social engineering vectors and known software flaws to establish persistent backdoor access across thousands of websites.


Steam Profile Malware Campaign


GoDaddy Security researchers uncovered a sophisticated operation where malicious actors hide command instructions inside Steam user profile comment zones. This technique keeps attacker control systems completely invisible to traditional network filters, allowing the operation to silently spread across nearly 2,000 distinct website setups. The core innovation involves embedding payloads where they blend seamlessly into normal user interactions on a trusted platform.


Invisible Unicode Steganography Technique


The malware employs invisible Unicode characters to conceal payloads within Steam profile comments. The script extracts text blocks from targeted gaming profiles, then isolates binary characters that human eyes cannot perceive. This steganographic data encoding evades traditional text-based detection methods because normal content filters simply do not recognize the hidden threat assets embedded alongside legitimate profile text.


Payload Reconstruction and Encryption


The decoder script maps six unique zero-width characters to numeric coordinates, reconstructing raw binary payloads from regular ASCII art blocks. Advanced variants include AES-256-CTR encryption alongside complex validation mechanisms to protect data from interception. The process ultimately yields a clean web address pointing directly to an external malicious server, completing the command pathway from gaming profile to compromised website.


Parallel Execution Architecture


The attack employs two deployment tracks to manage targets simultaneously. On the client side, the script injects external instructions into active web pages using native framework functions under false names to avoid detection. Visitor systems unknowingly load tracking implants every time a web page renders. Concurrently, the server-side chain establishes administrative presence by hooking into template redirect processes and waiting for a specific authorization cookie to trigger a hidden command prompt.


Cookie-Authenticated Backdoor


Once activated, the backdoor enables remote code execution by accepting base64-encoded PHP code via POST requests. This allows attackers to modify plugin and theme files remotely, giving operators the power to rewrite local files without ever logging in through traditional administrative interfaces. The backdoor's persistence capability means attackers can push fresh scripts even after partial cleanup attempts.


Everest Forms Pro Vulnerability Details


A critical vulnerability tracked as CVE-2026-3300 with CVSS score 9.8 resides within the premium form-builder plugin's complex calculation feature. The flaw allows unauthenticated attackers to execute arbitrary PHP code on servers, leading to complete site compromise. The vulnerable process_filter() function concatenates submitted form field values into a PHP code string passed directly to eval(), creating an injection point.


Input Validation Bypass


The application applies basic text filtering but fails to handle single quotes properly. Unauthenticated adversaries can submit malicious characters to break out of string boundaries, causing the underlying server to execute injected command sequences automatically. This elementary oversight in input validation transforms an ordinary form plugin into a direct gateway for remote code execution.


Active Exploitation Campaign


Threat actors began probing websites for this vulnerability on April 13, 2026. Telemetry shows a dramatic surge in automated attacks, with defenses blocking over 17,900 exploit requests on May 16, 2026 alone. This massive scale indicates hackers are leveraging the flaw to scan for vulnerable targets indiscriminately across the WordPress ecosystem.


Rogue Admin Account Creation


The primary objective of these automated campaigns is securing long-term backdoor access. The most common payload observed attempts to create a new administrator account named 'diksimarina' on affected sites. If successful, this rogue user allows criminals to upload web shells, manipulate databases, or deploy additional malware, establishing persistent control over compromised infrastructure.


Defensive Measures and Incident Recovery


Network defenders must upgrade monitoring methods to identify sneaky techniques used in both campaigns. Security teams should inspect database spaces for unusual cache transients and scan system files for unapproved cryptographic functions. Administrators must flag any outbound network connections traveling toward gaming domain paths.


Complete eradication requires comprehensive action rather than partial cleanup. Teams should reset all administrator credentials, audit user profiles for unauthorized accounts, and prioritize restoring systems from verified historical backups. Wordfence released a secure software update, with administrators needing to upgrade Everest Forms Pro to version 1.9.13 or higher immediately. Enforcing prompt dependency tracking remains the absolute best defense against severe web server damage.


Sources


  • https://securityonline.info/steam-profile-malware-campaign-wordpress/

  • https://securityonline.info/everest-forms-pro-flaw-active-exploitation/

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page