VTA-004513 – Critical Vulnerability in Everest Forms WordPress Plugin

The Everest Forms WordPress plugin, in versions up to 3.1.1, contains a PHP Object Injection vulnerability due to the insecure handling of the ‘field_value’ parameter. Although the plugin itself lacks the necessary “POP chain” to directly exploit this flaw, its presence means that if a website using Everest Forms also has another installed plugin or theme containing a POP chain, unauthenticated attackers could leverage this combination to perform malicious actions. These actions could range from deleting arbitrary files and retrieving sensitive data to executing arbitrary code on the server, depending on the capabilities offered by the external POP chain. Therefore, the vulnerability in Everest Forms poses a significant security risk in environments where a compatible POP chain is present through other installed software.

Severity:
Medium

Attack Surface:
Web Application, Web Browser, Workspace

References:
1. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/everest-forms/everest-forms-contact-form-quiz-survey-newsletter-payment-form-builder-for-wordpress-311-unauthenticated-php-object-injection

SuperPRO’s Threat Countermeasures Procedures:
1. Updated and review the security updates released by Wordfence and apply the necessary updates.
2. Stay informed about security updates released by Wordfence and apply them promptly.
3. Keep a close watch for any unusual file uploads, attempts to execute remote code, or modifications/deletions of critical files like wp-config.php.
4. Update immediately, identify and mitigate any other plugins or themes that may contain a POP chain, as these could be exploited in conjunction with the Everest Forms vulnerability.
5. Consider using a WAF with rules that can block potential exploits targeting this vulnerability.

Contributed by: Syaff