Description
The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to time-based SQL Injection via the `order_by` parameter in all versions up to, and including, 1.45.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-07-18
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection via order_by parameter
Action: Patch Immediately
AI Analysis

Impact

The Forminator plugin contains a time‑based SQL injection flaw in the order_by parameter. The value is not properly escaped and the existing SQL query is not sufficiently prepared, allowing injected SQL to be appended to the original statement. Attackers who are authenticated with Administrator or higher privileges can exploit this to run arbitrary queries and extract sensitive data from the WordPress database.

Affected Systems

WordPress sites that use the Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin, versions 1.45.0 and all earlier releases.

Risk and Exploitability

The vulnerability has a CVSS score of 4.9, indicating moderate severity, and an EPSS score of less than 1%, meaning the probability of exploitation is low. The flaw is not listed in the CISA KEV catalog. Since only authenticated users with Administrator level access can trigger the injection, exploitation requires local administrative control of the site rather than remote access. The impact is limited to the scope of the attacker’s WordPress database but can expose passwords, user tokens, and other confidential information.

Generated by OpenCVE AI on April 21, 2026 at 04:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Forminator to the latest plugin version that removes the injection vulnerability or apply any vendor‑supplied patch release.
  • Restrict the number of Administrator accounts and enforce least‑privilege policies on existing users so that only trusted personnel retain elevated access.
  • Implement a web‑application firewall or use plugin hardening that filters order_by parameters and monitors for unexpected query patterns to detect or block injection attempts.

Generated by OpenCVE AI on April 21, 2026 at 04:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21840 The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to time-based SQL Injection via the `order_by` parameter in all versions up to, and including, 1.45.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
History

Fri, 18 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 18 Jul 2025 04:30:00 +0000

Type Values Removed Values Added
Description The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to time-based SQL Injection via the `order_by` parameter in all versions up to, and including, 1.45.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.45.0 - Authenticated (Administrator+) SQL Injection via `order_by` Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:56:22.207Z

Reserved: 2025-07-14T14:04:02.345Z

Link: CVE-2025-7638

cve-icon Vulnrichment

Updated: 2025-07-18T13:52:11.290Z

cve-icon NVD

Status : Deferred

Published: 2025-07-18T05:15:32.340

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7638

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T04:00:10Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')