CVE-2024-1812 Overview
CVE-2024-1812 is a Server-Side Request Forgery (SSRF) vulnerability in the Everest Forms plugin for WordPress. The flaw affects all plugin versions up to and including 2.0.7. Unauthenticated attackers can abuse the font_url parameter to make the web application issue arbitrary outbound HTTP requests. This enables attackers to query and modify information exposed by internal services that are not reachable from the public internet. The vulnerability is tracked under CWE-918: Server-Side Request Forgery.
Critical Impact
Unauthenticated remote attackers can pivot through vulnerable WordPress sites to reach internal services, cloud metadata endpoints, and other restricted network resources.
Affected Products
- WPEverest Everest Forms plugin for WordPress
- All versions through 2.0.7
- WordPress sites running the plugin with default configuration
Discovery Timeline
- 2024-04-09 - CVE-2024-1812 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2024-1812
Vulnerability Analysis
The Everest Forms plugin accepts a user-supplied value via the font_url parameter and uses it to perform a server-side HTTP request. Because the plugin does not validate or restrict the destination URL, attackers can supply arbitrary hosts and schemes. The request is issued by the WordPress server itself, granting access to network segments and services that trust the application host. No authentication is required, which broadens the attacker pool to any internet-based actor that can reach the site.
Root Cause
The root cause is missing validation of the font_url parameter before the server initiates an outbound request. The plugin trusts attacker-controlled input as a destination URL and does not enforce an allowlist of hosts, schemes, or expected resource patterns. This omission satisfies the conditions described in CWE-918, where the server fetches a remote resource using user-supplied input without sufficient verification.
Attack Vector
An unauthenticated attacker sends a crafted HTTP request to the vulnerable plugin endpoint, supplying a malicious value for font_url. The server then performs a request to the attacker-specified location. Common abuse scenarios include reaching cloud instance metadata endpoints such as 169.254.169.254, probing internal IP ranges, interacting with internal APIs that rely on network-level trust, and exfiltrating response data through error messages or differential timing. See the Wordfence Vulnerability Report for additional technical context.
No public proof-of-concept exploit code is referenced in the advisory, so the vulnerability is described in prose rather than with synthetic code.
Detection Methods for CVE-2024-1812
Indicators of Compromise
- Outbound HTTP requests originating from the WordPress server to internal IP ranges such as 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16.
- Web server access logs showing requests containing the font_url parameter with non-font URLs or IP-literal hosts.
- DNS lookups from the WordPress host to attacker-controlled domains tied to font-related endpoints.
- Connections from the WordPress server to cloud metadata services like 169.254.169.254.
Detection Strategies
- Inspect web server and application logs for requests targeting Everest Forms endpoints with the font_url parameter set to suspicious values.
- Correlate inbound HTTP requests with outbound network connections initiated by the PHP worker process to identify SSRF chains.
- Deploy web application firewall rules that flag URLs in the font_url field which do not resolve to known font CDN hosts.
Monitoring Recommendations
- Forward WordPress access logs and egress firewall logs into a centralized analytics platform for correlation.
- Alert on any request from the web server to cloud metadata IPs or RFC1918 ranges.
- Track plugin version inventory across WordPress estates and flag installations of Everest Forms at version 2.0.7 or earlier.
How to Mitigate CVE-2024-1812
Immediate Actions Required
- Update the Everest Forms plugin to a version later than 2.0.7 that contains the fix referenced in the WordPress Plugin Change Log.
- Audit web server logs for prior requests containing the font_url parameter and investigate any anomalous outbound traffic.
- Restrict outbound network access from the WordPress server to only the destinations required for operation.
Patch Information
The vendor addressed the SSRF in a code change recorded in changeset 3049743 on the WordPress plugin repository. Site operators should upgrade through the WordPress plugin manager or via WP-CLI to receive the patched code. Confirm the installed version is higher than 2.0.7 after the update.
Workarounds
- Disable or remove the Everest Forms plugin until the patched version is installed.
- Block outbound traffic from the WordPress server to internal subnets and cloud metadata endpoints at the host or network firewall.
- Deploy WAF signatures that reject requests where the font_url parameter contains IP-literal hosts, non-HTTPS schemes, or non-font file extensions.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

