Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Steve Truman Contact Us page - Contact people LITE contact-us-page-contact-people allows SQL Injection.This issue affects Contact Us page - Contact people LITE: from n/a through <= 3.7.4.
Published: 2025-07-04
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the WordPress plugin Contact Us page - Contact people LITE. Improper neutralization of special elements used in an SQL command allows an attacker to inject arbitrary SQL when submitting the contact form. This could enable the execution of SQL statements that read, modify, or delete database contents, potentially exposing sensitive data or disrupting site functionality.

Affected Systems

Affected systems are websites running the WordPress Contact Us page - Contact people LITE plugin version 3.7.4 or earlier. The plugin is commonly used to provide a contact form; any site that has installed this plugin without upgrading to a newer version is at risk.

Risk and Exploitability

The CVSS base score of 8.5 indicates high severity, but the EPSS score of less than 1% suggests a low probability of exploitation in the wild today. The vulnerability is not listed in the CISA KEV catalog, so no known active exploits are publicly documented. Attackers likely need to find a way to submit crafted input via the publicly exposed contact form; no authentication is required, making the vector readily available. Because of the high impact, fixing the software promptly is essential.

Generated by OpenCVE AI on April 30, 2026 at 17:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Contact Us page - Contact people LITE plugin to a version newer than 3.7.4 that contains the fix.
  • If the plugin must remain active, enforce strict input validation or deploy a Web Application Firewall rule that blocks suspicious SQL injection attempts.
  • Monitor database activity for unauthorized changes and run periodic security scans to detect any exploitation.

Generated by OpenCVE AI on April 30, 2026 at 17:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19948 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Steve Truman Contact Us page - Contact people LITE allows SQL Injection. This issue affects Contact Us page - Contact people LITE: from n/a through 3.7.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Steve Truman Contact Us page - Contact people LITE allows SQL Injection. This issue affects Contact Us page - Contact people LITE: from n/a through 3.7.4. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Steve Truman Contact Us page - Contact people LITE contact-us-page-contact-people allows SQL Injection.This issue affects Contact Us page - Contact people LITE: from n/a through <= 3.7.4.
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Fri, 04 Jul 2025 09:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Steve Truman Contact Us page - Contact people LITE allows SQL Injection. This issue affects Contact Us page - Contact people LITE: from n/a through 3.7.4.
Title WordPress Contact Us page - Contact people LITE plugin <= 3.7.4 - SQL Injection Vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:52.072Z

Reserved: 2025-03-11T08:10:27.473Z

Link: CVE-2025-28967

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2025-07-04T09:15:30.760

Modified: 2026-06-17T09:04:58.247

Link: CVE-2025-28967

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T17:15:42Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')