Description
WordPress Contact Form Maker Plugin 1.12.20 contains SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries through the FormMakerSQLMapping and generete_csv_fmc AJAX actions. Attackers can inject malicious SQL code via the 'name' and 'search_labels' parameters to extract sensitive database information or escalate privileges.
Published: 2026-05-23
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WordPress Contact Form Maker Plugin version 1.12.20 contains a SQL injection vulnerability that occurs when authenticated attackers manipulate the FormMakerSQLMapping and generete_csv_fmc AJAX actions. By injecting malicious SQL through the name and search_labels parameters, an attacker can query or modify the underlying database, read sensitive data, and potentially elevate their privileges within the WordPress site.

Affected Systems

The affected product is Web‑Dorado’s Contact Form Maker plugin for WordPress, specifically version 1.12.20. No other product or version information was disclosed.

Risk and Exploitability

The vulnerability has a CVSS score of 7.1, indicating a high severity. EPSS data is not available, and the issue is not listed in the CISA KEV catalog. Exploitation requires authenticated access to the plugin’s AJAX endpoints, so attackers must use valid user credentials or exploit a broader authentication vulnerability. The attack vector is likely web‑based, and the misuse of the unsecured parameters could allow an attacker to retrieve or alter sensitive data, potentially compromising server integrity and confidentiality.

Generated by OpenCVE AI on May 23, 2026 at 19:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest version of the Contact Form Maker plugin, which removes the vulnerable AJAX actions.
  • If an upgrade is not immediately possible, disable the FormMakerSQLMapping and generete_csv_fmc endpoints or restrict them to trusted users only.
  • Restrict WordPress roles that can access the plugin’s administrative features, ensuring only the minimum required privileges are granted to users interacting with the contact form.

Generated by OpenCVE AI on May 23, 2026 at 19:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 23 May 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 23 May 2026 18:45:00 +0000

Type Values Removed Values Added
Description WordPress Contact Form Maker Plugin 1.12.20 contains SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries through the FormMakerSQLMapping and generete_csv_fmc AJAX actions. Attackers can inject malicious SQL code via the 'name' and 'search_labels' parameters to extract sensitive database information or escalate privileges.
Title WordPress Contact Form Maker Plugin 1.12.20 SQL Injection
First Time appeared Web-dorado
Web-dorado contact Form Maker
Weaknesses CWE-89
CPEs cpe:2.3:a:web-dorado:contact_form_maker:*:*:*:*:*:wordpress:*:*
Vendors & Products Web-dorado
Web-dorado contact Form Maker
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Web-dorado Contact Form Maker
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-23T18:30:48.903Z

Reserved: 2026-05-23T15:26:41.278Z

Link: CVE-2018-25347

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-23T20:00:11Z

Weaknesses