The newest break-ins don't smuggle in their own tools. They borrow the brand names every security team already waves through the door.

The Allowlist Is The Attack Surface

What happened: Criminals are breaking into websites three different ways at once. First, a flaw in Everest Forms Pro — a small add-on (about 4,000 sites use it) that lets a WordPress site collect form submissions — lets a stranger run their own code on the server just by typing into a contact form; the bug is tracked as CVE-2026-3300, an industry ID with a severity score of 9.8 out of 10, and the security firm Wordfence has counted more than 29,300 attempts. Separately, the firm Sansec found thieves hiding their card-stealing code ("skimmers," small scripts that copy a shopper's card number at checkout) inside Stripe and Google's own services, plus a 5,714-store fake-shop network funneling stolen cards to a single server in Moldova.

What's really going on: These look like three stories. They are one. The Everest Forms bug exists because the plugin took whatever a visitor typed and fed it straight into a command the server obeyed — trusting user input it should have treated as hostile. The skimmer crews run the larger version of the same trick: instead of hosting their own servers (which get blocked), they store stolen cards inside a real Stripe account and load their malware through Google Tag Manager, because every online store's security rules already trust stripe.com and googletagmanager.com by default. The attacker isn't sneaking past the guard. The attacker is wearing the uniform the guard was told to salute. That trust is the hardest thing to revoke, because revoking it means breaking the payment and analytics tools the business runs on.

Why most people are missing this: They think the fix is blocking bad domains and patching bad plugins, when the abused domains are the ones a store can least afford to block.

The Take: Your security allowlist is now a target list — every service you've decided to trust without inspection is a door you've propped open for anyone who can pose as it.

Why it matters: Defenses built on "is this source reputable" stop working when the attack arrives through the reputable source itself, which pushes the whole industry toward inspecting behavior instead of checking nameplates.

Source: https://thehackernews.com/2026/06/hackers-exploit-critical-everest-forms.html

The tension is between trust-by-identity (this domain is known, let it through) and trust-by-behavior (watch what the code actually does, regardless of where it came from). Identity-based trust is losing, because attackers have learned to occupy trusted identities — a Stripe account, a Google container, a popular plugin — faster than defenders can vet them. The reputations that were supposed to be a shortcut to safety have become the easiest thing to rent.

The 1988 Morris Worm, one of the first internet outbreaks, spread not by smashing through defenses but by abusing trusted features — the everyday commands machines used to share files and mail with each other. Nearly forty years later, the winning move is still the same: don't break the lock, become something the lock was built to admit.

POST: Three separate website breaches hit the news this week. They share one method. Attackers no longer sneak past trusted services — they hide inside them, turning Stripe into a stolen-card database and Google's tools into a malware loader. The reputations defenders rely on as a shortcut have become the attack surface. "Is this source reputable" is a question that no longer keeps anyone safe.

TAKE: The reputation of a trusted vendor is no longer a security feature — it's the credential attackers steal first, because you've already promised never to question it.