CVE-2018-25347

WordPress Contact Form Maker Plugin 1.12.20 SQL Injection

CVSS 7.1 HIGHEPSS 0.2%CWE-89

WordPress Contact Form Maker Plugin 1.12.20 contains SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries through the FormMakerSQLMapping and generete_csv_fmc AJAX actions. Attackers can inject malicious SQL code via the 'name' and 'search_labels' parameters to extract sensitive database information or escalate privileges.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Affected products

web-dorado · Contact Form Maker

public PoCs found — 1

cve_referencewww.exploit-db.com/exploits/44854unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://wordpress.org/plugins/contact-form-maker/https://www.exploit-db.com/exploits/44854 https://www.vulncheck.com/advisories/wordpress-contact-form-maker-plugin-sql-injection