Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in hassantafreshi Easy Form Builder easy-form-builder allows Blind SQL Injection.This issue affects Easy Form Builder: from n/a through <= 4.0.6.
Published: 2026-05-27
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Easy Form Builder plugin for WordPress fails to properly neutralize special characters used in SQL commands, allowing an attacker to insert arbitrary SQL through form inputs. This flaw enables blind SQL injection, which can be used to extract sensitive information or modify database contents without immediate visible error responses. The impact manifests as unauthorized data disclosure and potential manipulation of the site’s data integrity.

Affected Systems

The vulnerability affects the WordPress Easy Form Builder plugin provided by hassantafreshi. All released versions from the first version through 4.0.6 are susceptible; the exact lower bound is unspecified but the patch applies to any version up to and including 4.0.6.

Risk and Exploitability

With a CVSS score of 9.3, the flaw is considered critical. The EPSS score is not available, so the current probability of exploitation cannot be quantified. It is not listed in CISA’s KEV catalog. Attackers can exploit the issue remotely by submitting crafted input via any exposed form provided by the plugin. No additional credentials or privileges are required beyond the ability to interact with the form.

Generated by OpenCVE AI on May 27, 2026 at 11:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Easy Form Builder plugin to version 4.0.7 or later when available
  • If an immediate update is not possible, disable or uninstall the plugin from the WordPress installation
  • Where feasible, implement additional input validation and output escaping on all form fields to reduce the risk of SQL injection

Generated by OpenCVE AI on May 27, 2026 at 11:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in hassantafreshi Easy Form Builder easy-form-builder allows Blind SQL Injection.This issue affects Easy Form Builder: from n/a through <= 4.0.6.
Title WordPress Easy Form Builder plugin <= 4.0.6 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-27T10:50:32.583Z

Reserved: 2026-04-29T09:05:30.887Z

Link: CVE-2026-42747

cve-icon Vulnrichment

Updated: 2026-05-27T10:50:27.399Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T11:16:21.173

Modified: 2026-05-27T14:50:47.627

Link: CVE-2026-42747

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T11:45:15Z

Weaknesses