Plugin vulnerable to Server-Side Request Forgery
CVE-2024-1812

7.2HIGH

Key Information:

Vendor: Wordpress
Status: Everest Forms – Build Contact Forms, Surveys, Polls, Quizzes, Newsletter & Application Forms, And Many More With Ease!
Vendor: CVE Published:; 9 April 2024

Summary

The Everest Forms plugin for WordPress is susceptible to a Server-Side Request Forgery vulnerability in all versions up to and including 2.0.7. This vulnerability arises through the 'font_url' parameter, enabling unauthorized attackers to initiate web requests to arbitrary locations originating from the affected web application. Consequently, this can lead to the querying and potential modification of sensitive information from internal services, posing significant risks to the security of the system and its data integrity.

Affected Version(s)

Everest Forms – Build Contact Forms, Surveys, Polls, Quizzes, Newsletter & Application Forms, and Many More with Ease! * <= 2.0.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3049743/ever...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Apr 9, 2024
Vulnerability Reserved
Feb 22, 2024

Credit

hoangnd123123