Description
The WP Forms Connector plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the /wp-json/wp/v3/post/list REST endpoint in versions up to and including 1.8. This is due to insufficient escaping on the user-supplied 'order' parameter (read directly from $_GET['order'] into $shorting) and the lack of sufficient preparation on the existing SQL query in the listPost() function, where the value is concatenated unquoted into the ORDER BY clause and executed via $wpdb->get_results() without $wpdb->prepare(). The endpoint is registered with permission_callback '__return_true' and performs only a broken header-based check that validates the supplied 'Username' corresponds to an administrator account while never verifying the 'Password'. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2026-06-24
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP Forms Connector plugin for WordPress receives an unsanitized "order" parameter from the /wp-json/wp/v3/post/list REST endpoint, concatenating it directly into an SQL ORDER BY clause without quoting or preparation. This flaw, a classic SQL injection (CWE‑89), permits an attacker to inject arbitrary SQL that is executed via $wpdb->get_results(), enabling extraction of sensitive database contents. Because the endpoint uses a permissive permission_callback and a broken header check that never verifies the supplied password, the vulnerability is exploitable by unauthenticated users.

Affected Systems

Versions of the WP Forms Connector plugin up to and including 1.8, distributed by the vendor hancock11, are affected. WordPress sites that have installed these versions expose the vulnerable REST endpoint.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. EPSS data is not available, but the lack of authentication around the endpoint makes exploitation straightforward for anyone with network access to the site. The vulnerability is not listed in CISA KEV, so no confirmed exploits are publicly documented yet, but the attack vector and high impact warrant immediate attention.

Generated by OpenCVE AI on June 24, 2026 at 09:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Forms Connector to the latest version that includes the SQL injection fix.
  • If an upgrade is unavailable, disable the /wp-json/wp/v3/post/list endpoint or add proper capability checks to restrict it to administrators.
  • Keep the WordPress core and all plugins updated and consider disabling unauthenticated REST requests that are unnecessary for your site.

Generated by OpenCVE AI on June 24, 2026 at 09:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Hancock11
Hancock11 wp Forms Connector
Wordpress
Wordpress wordpress
Vendors & Products Hancock11
Hancock11 wp Forms Connector
Wordpress
Wordpress wordpress

Wed, 24 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Description The WP Forms Connector plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the /wp-json/wp/v3/post/list REST endpoint in versions up to and including 1.8. This is due to insufficient escaping on the user-supplied 'order' parameter (read directly from $_GET['order'] into $shorting) and the lack of sufficient preparation on the existing SQL query in the listPost() function, where the value is concatenated unquoted into the ORDER BY clause and executed via $wpdb->get_results() without $wpdb->prepare(). The endpoint is registered with permission_callback '__return_true' and performs only a broken header-based check that validates the supplied 'Username' corresponds to an administrator account while never verifying the 'Password'. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title WP Forms Connector <= 1.8 - Unauthenticated SQL Injection via 'order' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}


Subscriptions

Hancock11 Wp Forms Connector
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-25T13:34:09.301Z

Reserved: 2026-05-21T14:46:02.937Z

Link: CVE-2026-9179

cve-icon Vulnrichment

Updated: 2026-06-25T13:34:05.504Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:05:00Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')