Description
The GoZen Forms plugin for WordPress is vulnerable to SQL Injection via the 'forms-id' parameter of the emdedSc() function in all versions up to, and including, 1.1.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-07-04
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated SQL injection enabling extraction of sensitive database contents
Action: Immediate Patch
AI Analysis

Impact

The identified weakness lies in the GoZen Forms plugin for WordPress, where the emdedSc() function fails to escape the user supplied 'forms-id' parameter and does not prepare the surrounding SQL query. Because of this flaw an attacker can insert arbitrary SQL statements. The result is an unauthenticated SQL Injection that permits reading of database tables, potentially revealing user data, configuration, and other confidential information. The vulnerability directly compromises database confidentiality.

Affected Systems

The flaw affects all installations of the GoZen Forms plugin version 1.1.5 or older, including the base release provided by optinlyhq. WordPress sites running these versions are at risk regardless of their overall configuration, as the plugin is loaded by default and the function is accessible to all visitors.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity for exploitation. The EPSS score is below 1 %, showing a very low current probability of usage in the wild, and it is not listed in the CISA KEV catalog. Nonetheless, because the attack does not require any authentication, the potential impact is significant if an attacker can reach the endpoint. The expected attack vector is a crafted HTTP request containing the 'forms-id' parameter. Once the injection succeeds, the attacker gains read access to the database, which can have business‑critical consequences.

Generated by OpenCVE AI on April 21, 2026 at 19:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade immediately to the latest GoZen Forms release (1.1.6 or newer) which corrects the SQL escaping flaw.
  • If an upgrade is impossible, block access to the emdedSc() endpoint or permanently disable the plugin from the WordPress admin interface to prevent unauthenticated use.
  • Deploy a Web Application Firewall rule or use a security middleware to filter and block suspicious SQL terms (e.g., SELECT, UNION, DROP) from incoming requests targeting the plugin's URLs.

Generated by OpenCVE AI on April 21, 2026 at 19:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19917 The GoZen Forms plugin for WordPress is vulnerable to SQL Injection via the 'forms-id' parameter of the emdedSc() function in all versions up to, and including, 1.1.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
History

Wed, 09 Jul 2025 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Optinlyhq
Optinlyhq gozen Forms
CPEs cpe:2.3:a:optinlyhq:gozen_forms:*:*:*:*:*:wordpress:*:*
Vendors & Products Optinlyhq
Optinlyhq gozen Forms

Tue, 08 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 04 Jul 2025 02:30:00 +0000

Type Values Removed Values Added
Description The GoZen Forms plugin for WordPress is vulnerable to SQL Injection via the 'forms-id' parameter of the emdedSc() function in all versions up to, and including, 1.1.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title GoZen Forms <= 1.1.5 - Unauthenticated SQL Injection via emdedSc()
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Optinlyhq Gozen Forms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:01:51.764Z

Reserved: 2025-06-27T12:22:17.891Z

Link: CVE-2025-6783

cve-icon Vulnrichment

Updated: 2025-07-08T14:10:12.249Z

cve-icon NVD

Status : Analyzed

Published: 2025-07-04T03:15:23.077

Modified: 2025-07-09T17:48:04.003

Link: CVE-2025-6783

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T20:00:25Z

Weaknesses