One of the changelog entries for the latest version of Everest Forms is “Fix – SQL Injection (discovered by Tin Duong).” Looking at the changes made in that version we saw that in /includes/evf-entry-functions.php several SQL statements had been changed to be prepared, which fixed SQL injection vulnerabilities. It looks like those statements are only accessed from the plugin’s Entries admin page, which is normally only accessible by Administrators, who can already do the equivalent of SQL injection, but through cross-site request forgery (CSRF) this could have been exploited.

...

---

This post provides insights on a vulnerability in the WordPress plugin Everest Forms not discovered by us, where the discoverer hadn't provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so the rest of its contents are limited to subscribers of our service.

If you were using our service, you would have already been warned about this vulnerability if your website is vulnerable due to it. You can try out our service for free and then see the rest of the details of the vulnerability.

For existing customers, please log in to your account to view the rest of the contents of the post.