Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in David Jeffrey Contact Form 7 Round Robin Lead Distribution contact-form-7-round-robin-lead-distribution allows SQL Injection.This issue affects Contact Form 7 Round Robin Lead Distribution: from n/a through <= 1.2.1.
Published: 2025-01-22
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper handling of user supplied data in the Contact Form 7 Round Robin Lead Distribution plugin creates an SQL injection flaw. An attacker can inject arbitrary SQL code and potentially read, modify or delete database contents. The vulnerability directly exposes the database to tampering and data leakage, threatening the confidentiality, integrity, and availability of the site’s data.

Affected Systems

The flaw exists in the David Jeffrey Contact Form 7 Round Robin Lead Distribution plugin for WordPress, affecting all versions up to and including 1.2.1.

Risk and Exploitability

The CVSS score of 7.6 indicates a high severity. The EPSS score of less than 1% suggests that exploitation is not common yet, but the vulnerability is not yet listed in the CISA KEV catalog. Attackers would likely exploit the vulnerability by submitting malicious input through the plugin’s contact form interface, which is reachable via the web front‑end.

Generated by OpenCVE AI on May 1, 2026 at 19:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to a version newer than 1.2.1 or uninstall it entirely
  • Disable the plugin’s round robin lead distribution feature and delete its database tables if the plugin cannot be upgraded or removed
  • Configure a web application firewall or input validation rule to block suspicious SQL characters in form submissions

Generated by OpenCVE AI on May 1, 2026 at 19:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3416 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NotFound Contact Form 7 Round Robin Lead Distribution allows SQL Injection. This issue affects Contact Form 7 Round Robin Lead Distribution: from n/a through 1.2.1.
History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NotFound Contact Form 7 Round Robin Lead Distribution allows SQL Injection. This issue affects Contact Form 7 Round Robin Lead Distribution: from n/a through 1.2.1. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in David Jeffrey Contact Form 7 Round Robin Lead Distribution contact-form-7-round-robin-lead-distribution allows SQL Injection.This issue affects Contact Form 7 Round Robin Lead Distribution: from n/a through <= 1.2.1.
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Thu, 23 Jan 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Jan 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NotFound Contact Form 7 Round Robin Lead Distribution allows SQL Injection. This issue affects Contact Form 7 Round Robin Lead Distribution: from n/a through 1.2.1.
Title WordPress Contact Form 7 Round Robin Lead Distribution Plugin <= 1.2.1 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:51:54.219Z

Reserved: 2025-01-16T11:30:13.733Z

Link: CVE-2025-23784

cve-icon Vulnrichment

Updated: 2025-01-23T16:31:02.371Z

cve-icon NVD

Status : Deferred

Published: 2025-01-22T15:15:23.713

Modified: 2026-04-29T10:16:41.030

Link: CVE-2025-23784

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T19:45:24Z

Weaknesses