A high-severity SQL Injection vulnerability in the GoZen Forms plugin for WordPress allows unauthenticated attackers to extract sensitive information from the database.

The GoZen Forms plugin for WordPress is vulnerable to an unauthenticated SQL Injection. The flaw exists in the dirGZActiveForm() function due to insufficient sanitization of user-supplied input to the forms-id parameter, allowing an attacker to execute arbitrary SQL commands.

A successful exploit could allow an attacker to read, modify, or delete sensitive data from the WordPress database, including user credentials, personal information, and site content. This vulnerability is rated High with a CVSS score of 7.5, reflecting the potential for significant data compromise and loss of confidentiality and integrity.

Immediate Action: Administrators should immediately update the GoZen Forms plugin to the latest patched version as specified by the vendor. If a patch is not yet available or the plugin is not essential, consider disabling or uninstalling it.

Proactive Monitoring: Monitor web server and database logs for unusual or malformed SQL queries, paying close attention to requests involving the dirGZActiveForm() function.

Compensating Controls: Implement a Web Application Firewall (WAF) with rules designed to detect and block common SQL Injection attack patterns as a virtual patch.

Public Exploit Available: false

Given the high severity of this vulnerability and the ease of exploitation for SQL Injection flaws, immediate action is required. We strongly recommend that all administrators prioritize the deployment of the vendor-supplied patch to prevent potential data breaches and unauthorized access to the application database.