Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla WPCRM - CRM for Contact form CF7 & WooCommerce wpcrm allows SQL Injection.This issue affects WPCRM - CRM for Contact form CF7 & WooCommerce: from n/a through <= 3.2.0.
Published: 2025-06-17
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an SQL Injection flaw where user-controlled input is not properly sanitized before being embedded into an SQL command. If exploited, an attacker could read, modify, or delete data in the WordPress database, potentially compromising all stored customer or transaction information and disrupting the site’s operation. This weakness aligns with CWE‑89 and presents a severe threat to confidentiality, integrity, and availability. The CVSS score of 9.3 indicates a critical severity, with the potential for full compromise if the application processes untrusted input.

Affected Systems

The affected product is the WordPress plugin WPCRM – CRM for Contact form CF7 & WooCommerce by mojoomla. Versions from the earliest released through 3.2.0 are vulnerable. No other products or versions are listed.

Risk and Exploitability

The EPSS score is reported as less than 1%, suggesting that widespread exploitation is unlikely at this time, yet the high CVSS score warrants immediate attention. The vulnerability is not listed in the CISA KEV catalog, but its critical score and potential for data leakage demand prompt remediation. The likely attack vector is via HTTP requests that contain malicious input to the plugin’s form handling or API endpoints, though the exact path is not detailed in the description. If an attacker can supply arbitrary SQL fragments, they can execute commands against the underlying database. Maintaining current plugin versions or applying vendor patches removes the vulnerability entirely.

Generated by OpenCVE AI on May 1, 2026 at 07:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WPCRM to version 3.2.1 or later to remove the SQL injection flaw.
  • If an update is not immediately possible, disable the plugin’s database interaction endpoints or block direct access to the plugin’s administrative URLs using .htaccess or a firewall rule.
  • Validate and sanitize all incoming data on the server side, ensuring that any SQL queries use parameterized statements or prepared statements to eliminate injection vectors.

Generated by OpenCVE AI on May 1, 2026 at 07:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-18522 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla WPCRM - CRM for Contact form CF7 & WooCommerce allows SQL Injection. This issue affects WPCRM - CRM for Contact form CF7 & WooCommerce: from n/a through 3.2.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla WPCRM - CRM for Contact form CF7 & WooCommerce allows SQL Injection. This issue affects WPCRM - CRM for Contact form CF7 & WooCommerce: from n/a through 3.2.0. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla WPCRM - CRM for Contact form CF7 & WooCommerce wpcrm allows SQL Injection.This issue affects WPCRM - CRM for Contact form CF7 & WooCommerce: from n/a through <= 3.2.0.
Title WordPress WPCRM - CRM for Contact form CF7 & WooCommerce <= 3.2.0 - SQL Injection Vulnerability WordPress WPCRM - CRM for Contact form CF7 & WooCommerce plugin <= 3.2.0 - SQL Injection Vulnerability
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Tue, 17 Jun 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla WPCRM - CRM for Contact form CF7 & WooCommerce allows SQL Injection. This issue affects WPCRM - CRM for Contact form CF7 & WooCommerce: from n/a through 3.2.0.
Title WordPress WPCRM - CRM for Contact form CF7 & WooCommerce <= 3.2.0 - SQL Injection Vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:23:30.937Z

Reserved: 2025-01-23T14:53:25.027Z

Link: CVE-2025-24773

cve-icon Vulnrichment

Updated: 2025-06-17T17:34:56.864Z

cve-icon NVD

Status : Deferred

Published: 2025-06-17T15:15:40.940

Modified: 2026-06-17T08:59:35.063

Link: CVE-2025-24773

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T07:30:11Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')