Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aman Views for WPForms views-for-wpforms-lite allows Blind SQL Injection.This issue affects Views for WPForms: from n/a through <= 3.4.6.
Published: 2026-05-12
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A view injection flaw in the Aman Views for WPForms WordPress plugin allows an attacker to perform blind SQL injection through improperly sanitized input. This flaw can let a remote attacker extract or manipulate data from the site’s database, compromising confidentiality and integrity of stored information. The weakness is identified as CWE‑89.

Affected Systems

The vulnerability affects the Aman Views for WPForms plugin version 3.4.6 and all earlier releases. Any WordPress installation that has this plugin enabled is at risk until an update is applied or the plugin is removed.

Risk and Exploitability

The CVSS score of 8.5 indicates high severity. EPSS data is currently unavailable, so the exact likelihood of exploitation cannot be quantified. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a remote word‑press site user or attacker who can submit or modify form data processed by the plugin. Based on the description, it is inferred that exploitation requires only that the plugin is active; no additional privileges are required.

Generated by OpenCVE AI on May 12, 2026 at 12:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Views for WPForms plugin to the latest available version (3.4.7 or newer).
  • If an upgrade is not possible, remove or disable the plugin to prevent its code from executing.
  • Implement a web application firewall rule to block suspicious SQL patterns targeting the plugin’s endpoints.

Generated by OpenCVE AI on May 12, 2026 at 12:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 11:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aman Views for WPForms views-for-wpforms-lite allows Blind SQL Injection.This issue affects Views for WPForms: from n/a through <= 3.4.6.
Title WordPress Views for WPForms plugin <= 3.4.6 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T12:38:21.896Z

Reserved: 2026-04-29T09:05:30.886Z

Link: CVE-2026-42742

cve-icon Vulnrichment

Updated: 2026-05-12T12:38:16.291Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T11:16:20.227

Modified: 2026-05-12T14:03:52.757

Link: CVE-2026-42742

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T12:30:15Z

Weaknesses