One of the changelog entries for the latest version of Everest Forms is “Fix – SQL Injection (discovered by Tin Duong).” Looking at the changes made in that version we saw that in /includes/evf-entry-functions.php several SQL statements had been changed to be prepared, which fixed SQL injection vulnerabilities. It looks like those statements are only accessed from the plugin’s Entries admin page, which is normally only accessible by Administrators, who can already do the equivalent of SQL injection, but through cross-site request forgery (CSRF) this could have been exploited.

…

[Read more]