Fortinet Discovers WordPress Everest Forms SQL Injection Vulnerability
Fortinet's FortiGuard Labs has discovered a SQL injection vulnerability in WPEverest Everest Forms plugin for WordPress.
Everest Forms plugin provides you with an easy way to create any kind of forms including contact forms. Drag and Drop fields make ordering and creating forms so easy that even a beginner to WordPress can create beautiful forms within minutes. The plugin is lightweight, fast, extendible and 100% mobile responsive.
A SQL injection vulnerability exists in the WPEverest Everest Forms plugin through 1.4.9 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system via includes/evf-entry-functions.php
SolutionsFortiGuard Labs released the following FortiGate IPS signature which covers this specific vulnerability:
User should apply the patch provided by WPEverest
Fortinet reported the vulnerability to WPEverest on July 10, 2019
WPEverest confirmed the vulnerability on July 11, 2019
WPEverest released patch for the vulnerability on July 15, 2019
This vulnerability was discovered by Tin Duong of Fortinet's FortiGuard Labs.