Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Kofi Mokome Message Filter for Contact Form 7 cf7-message-filter allows SQL Injection.This issue affects Message Filter for Contact Form 7: from n/a through <= 1.6.3.2.
Published: 2025-04-22
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper neutralization of specialized elements in SQL commands, allowing an attacker to inject arbitrary SQL statements via the contact form. The flaw is rooted in the Kofi Mokome Message Filter for Contact Form 7 plugin and is classified as CWE‑89. If exploited, an attacker could read, modify, or delete data stored in the WordPress database, potentially leaking sensitive information or corrupting the site’s content.

Affected Systems

The issue affects all versions of the Kofi Mokome Message Filter for Contact Form 7 plugin up to and including 1.6.3.2. Systems running WordPress installations that have this plugin installed are vulnerable; no specific WordPress core version is listed as a limitation.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.6, indicating a high risk to confidentiality and integrity, but its EPSS score is below 1 %, suggesting a low likelihood of exploitation in the wild. The vulnerability is not present in the CISA Known Exploited Vulnerabilities catalog, further indicating limited current exploitation evidence. The likely attack vector is the submission of crafted input through the contact form, which is inferred from the description and would be an unauthenticated remote attack over HTTP/HTTPS. While no active exploits have been reported, the high severity warrants action.

Generated by OpenCVE AI on May 1, 2026 at 09:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Kofi Mokome Message Filter for Contact Form 7 plugin to a version newer than 1.6.3.2
  • If a newer plugin version is not available, remove the plugin entirely or replace it with a secure alternative
  • Apply rigorous input validation or use WordPress Sanitize functions to escape all parameters used in SQL queries
  • Implement a Web Application Firewall to detect and block potential SQL injection payloads

Generated by OpenCVE AI on May 1, 2026 at 09:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12318 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kofimokome Message Filter for Contact Form 7 allows SQL Injection. This issue affects Message Filter for Contact Form 7: from n/a through 1.6.3.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kofimokome Message Filter for Contact Form 7 allows SQL Injection. This issue affects Message Filter for Contact Form 7: from n/a through 1.6.3.2. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Kofi Mokome Message Filter for Contact Form 7 cf7-message-filter allows SQL Injection.This issue affects Message Filter for Contact Form 7: from n/a through <= 1.6.3.2.
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

 cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Wed, 30 Apr 2025 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Kofimokome
Kofimokome message Filter For Contact Form 7
CPEs cpe:2.3:a:kofimokome:message_filter_for_contact_form_7:*:*:*:*:*:wordpress:*:*
Vendors & Products Kofimokome
Kofimokome message Filter For Contact Form 7

Tue, 22 Apr 2025 10:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kofimokome Message Filter for Contact Form 7 allows SQL Injection. This issue affects Message Filter for Contact Form 7: from n/a through 1.6.3.2.
Title WordPress Message Filter for Contact Form 7 plugin <= 1.6.3.2 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Kofimokome Message Filter For Contact Form 7
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:37.038Z

Reserved: 2025-04-22T09:21:43.075Z

Link: CVE-2025-46252

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2025-04-22T10:15:19.970

Modified: 2026-04-23T15:29:57.520

Link: CVE-2025-46252

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T09:30:14Z

Weaknesses