A high-severity SQL Injection vulnerability in the GoZen Forms plugin for WordPress allows unauthenticated attackers to execute arbitrary SQL queries, potentially leading to sensitive data exfiltration.**

The GoZen Forms plugin is vulnerable to SQL Injection due to improper sanitization of user-supplied input in the 'forms-id' parameter of the emdedSc() function. An unauthenticated attacker can craft a malicious request to execute arbitrary SQL commands on the underlying WordPress database.

A successful exploit could allow an attacker to read, modify, or delete sensitive data from the WordPress database, including user information, content, and configuration settings. This poses a significant risk of a data breach, reputational damage, and potential website defacement. The assigned CVSS score of 7.5 reflects the high severity of this vulnerability.

Immediate Action: Immediately update the GoZen Forms plugin to the latest patched version provided by the vendor to eliminate the vulnerability. If the plugin is not essential, consider deactivating and deleting it as an alternative.

Proactive Monitoring: Monitor web server and database logs for unusual or excessively long SQL queries, especially those targeting the vulnerable function. Review for any signs of unauthorized access or data modification.

Compensating Controls: Implement a properly configured Web Application Firewall (WAF) with rules designed to detect and block common SQL Injection attack patterns, which can serve as a virtual patch.

Public Exploit Available: false

Given the high-severity rating and the potential for unauthenticated exploitation, this vulnerability presents a critical risk to affected WordPress sites. We strongly recommend that administrators prioritize applying the vendor-supplied update immediately to prevent potential data compromise and unauthorized database access.