Description
The GoZen Forms plugin for WordPress is vulnerable to SQL Injection via the 'forms-id' parameter of the dirGZActiveForm() function in all versions up to, and including, 1.1.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-07-04
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Patch
AI Analysis

Impact

The GoZen Forms WordPress plugin contains a vulnerability in the dirGZActiveForm() function; the forms-id parameter is not properly escaped or prepared in the underlying SQL statement. An unauthenticated attacker can supply a crafted forms-id value that appends additional SQL statements, allowing the injection of arbitrary queries. This defect is classified as CWE‑89 and permits attackers to retrieve sensitive database data such as user credentials, content, and configuration information, thereby compromising confidentiality of the WordPress site and its database.

Affected Systems

Affected are installations of the optinlyhq GoZen Forms plugin for WordPress that are version 1.1.5 or earlier. The vulnerability exists in all releases up to and including 1.1.5 and can be exploited on any WordPress installation that has the plugin enabled and accessible to external users.

Risk and Exploitability

The CVSS score of 7.5 places this issue in the high‑severity range, indicating a significant risk if uncovered. However, the EPSS score is below 1 %, implying that real‑world exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. Attackers can call the dirGZActiveForm() endpoint directly from a web browser or via automated scripts by supplying a malicious forms-id parameter, without needing any authentication. The likely attack vector is unauthenticated access to the dirGZActiveForm() endpoint.

Generated by OpenCVE AI on April 21, 2026 at 19:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest GoZen Forms plugin version (≥ 1.1.6), or remove the plugin entirely if it is not required.
  • If an upgrade is not immediately possible, disable access to the dirGZActiveForm() endpoint for unauthenticated users by restricting the URL via .htaccess, web‑application firewall rules, or a reverse‑proxy configuration.
  • Implement input validation on the forms‑id parameter to reject non‑numeric values or otherwise sanitize user input before it reaches the database.

Generated by OpenCVE AI on April 21, 2026 at 19:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19915 The GoZen Forms plugin for WordPress is vulnerable to SQL Injection via the 'forms-id' parameter of the dirGZActiveForm() function in all versions up to, and including, 1.1.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
History

Wed, 09 Jul 2025 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Optinlyhq
Optinlyhq gozen Forms
CPEs cpe:2.3:a:optinlyhq:gozen_forms:*:*:*:*:*:wordpress:*:*
Vendors & Products Optinlyhq
Optinlyhq gozen Forms

Mon, 07 Jul 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 04 Jul 2025 02:30:00 +0000

Type Values Removed Values Added
Description The GoZen Forms plugin for WordPress is vulnerable to SQL Injection via the 'forms-id' parameter of the dirGZActiveForm() function in all versions up to, and including, 1.1.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title GoZen Forms <= 1.1.5 - Unauthenticated SQL Injection via dirGZActiveForm()
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Optinlyhq Gozen Forms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:26:52.209Z

Reserved: 2025-06-27T12:16:12.131Z

Link: CVE-2025-6782

cve-icon Vulnrichment

Updated: 2025-07-07T14:06:07.810Z

cve-icon NVD

Status : Analyzed

Published: 2025-07-04T03:15:22.913

Modified: 2025-07-09T17:47:40.597

Link: CVE-2025-6782

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T20:00:25Z

Weaknesses