Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in codepeople Form Builder CP cp-easy-form-builder allows SQL Injection.This issue affects Form Builder CP: from n/a through <= 1.2.41.
Published: 2025-01-24
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Form Builder CP WordPress plugin improperly neutralizes special characters in user‑supplied data before embedding them into SQL statements. An attacker can inject SQL code that is executed by the backend database, potentially allowing the disclosure, modification, or deletion of arbitrary data stored by the site. The vulnerability is classified as CWE‑89, indicating a classic parameter injection weakness.

Affected Systems

The affected product is the WordPress "Form Builder CP" plugin from codepeople, for all released versions up to and including 1.2.41. Any WordPress site that has this plugin installed is potentially vulnerable.

Risk and Exploitability

With a CVSS score of 8.5 the severity is high. The EPSS score is less than 1%, indicating a low probability of current exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is remote, via a crafted HTTP request to the plugin’s form submission endpoint. No authentication is required, meaning the vulnerability can be triggered by any user who can reach the affected page.

Generated by OpenCVE AI on May 1, 2026 at 18:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Form Builder CP to a version newer than 1.2.41 or remove the plugin entirely.
  • If upgrading is not immediately possible, restrict the form submission URL so that only authenticated users can post data, and enable CSRF protection to limit who can target the endpoint.
  • Deploy a web application firewall that monitors for SQL keywords in the request payload and blocks suspicious requests.

Generated by OpenCVE AI on May 1, 2026 at 18:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3866 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CodePeople Form Builder CP allows SQL Injection. This issue affects Form Builder CP: from n/a through 1.2.41.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CodePeople Form Builder CP allows SQL Injection. This issue affects Form Builder CP: from n/a through 1.2.41. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in codepeople Form Builder CP cp-easy-form-builder allows SQL Injection.This issue affects Form Builder CP: from n/a through <= 1.2.41.
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Fri, 24 Jan 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Jan 2025 17:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CodePeople Form Builder CP allows SQL Injection. This issue affects Form Builder CP: from n/a through 1.2.41.
Title WordPress Form Builder CP Plugin <= 1.2.41 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Codepeople Form Builder Cp
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:31.660Z

Reserved: 2025-01-23T14:51:57.436Z

Link: CVE-2025-24672

cve-icon Vulnrichment

Updated: 2025-01-24T18:46:18.932Z

cve-icon NVD

Status : Deferred

Published: 2025-01-24T18:15:40.890

Modified: 2026-06-17T08:59:24.967

Link: CVE-2025-24672

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T18:45:15Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')