Description
The WP Forms Connector plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the /wp-json/wp/v3/post/list REST endpoint in versions up to and including 1.8. This is due to insufficient escaping on the user-supplied 'order' parameter (read directly from $_GET['order'] into $shorting) and the lack of sufficient preparation on the existing SQL query in the listPost() function, where the value is concatenated unquoted into the ORDER BY clause and executed via $wpdb->get_results() without $wpdb->prepare(). The endpoint is registered with permission_callback '__return_true' and performs only a broken header-based check that validates the supplied 'Username' corresponds to an administrator account while never verifying the 'Password'. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2026-06-24
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP Forms Connector plugin for WordPress receives an unsanitized "order" parameter from the /wp-json/wp/v3/post/list REST endpoint, concatenating it directly into an SQL ORDER BY clause without quoting or preparation. This flaw, a classic SQL injection (CWE‑89), permits an attacker to inject arbitrary SQL that is executed via $wpdb->get_results(), enabling extraction of sensitive database contents. Because the endpoint uses a permissive permission_callback and a broken header check that never verifies the supplied password, the vulnerability is exploitable by unauthenticated users.

Affected Systems

Versions of the WP Forms Connector plugin up to and including 1.8, distributed by the vendor hancock11, are affected. WordPress sites that have installed these versions expose the vulnerable REST endpoint.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. EPSS data is not available, but the lack of authentication around the endpoint makes exploitation straightforward for anyone with network access to the site. The vulnerability is not listed in CISA KEV, so no confirmed exploits are publicly documented yet, but the attack vector and high impact warrant immediate attention.

Generated by OpenCVE AI on June 24, 2026 at 09:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Forms Connector to the latest version that includes the SQL injection fix.
  • If an upgrade is unavailable, disable the /wp-json/wp/v3/post/list endpoint or add proper capability checks to restrict it to administrators.
  • Keep the WordPress core and all plugins updated and consider disabling unauthenticated REST requests that are unnecessary for your site.

Generated by OpenCVE AI on June 24, 2026 at 09:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Description The WP Forms Connector plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the /wp-json/wp/v3/post/list REST endpoint in versions up to and including 1.8. This is due to insufficient escaping on the user-supplied 'order' parameter (read directly from $_GET['order'] into $shorting) and the lack of sufficient preparation on the existing SQL query in the listPost() function, where the value is concatenated unquoted into the ORDER BY clause and executed via $wpdb->get_results() without $wpdb->prepare(). The endpoint is registered with permission_callback '__return_true' and performs only a broken header-based check that validates the supplied 'Username' corresponds to an administrator account while never verifying the 'Password'. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title WP Forms Connector <= 1.8 - Unauthenticated SQL Injection via 'order' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-24T05:33:23.460Z

Reserved: 2026-05-21T14:46:02.937Z

Link: CVE-2026-9179

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T09:15:06Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')