CVE-2017-20244
Description
SQL injection in Wow Forms WordPress Plugin 2.1 allows unauthenticated attackers to read arbitrary database information via an unescaped POST parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in Wow Forms WordPress Plugin 2.1 allows unauthenticated attackers to read arbitrary database information via an unescaped POST parameter.
Vulnerability
Wow Forms WordPress Plugin version 2.1 contains an SQL injection vulnerability. This vulnerability exists due to an unescaped POST parameter, specifically the mwpformid parameter, within requests to the admin-ajax.php endpoint when using the send_mwp_form action. This allows for the injection of SQL code [4].
Exploitation
An unauthenticated attacker can exploit this vulnerability by sending a crafted POST request to the admin-ajax.php endpoint with the send_mwp_form action. By injecting SQL code into the mwpformid parameter, an attacker can manipulate database queries [3, 4]. No user interaction is required for exploitation [4].
Impact
Successful exploitation of this vulnerability allows unauthenticated attackers to read arbitrary database information. This means sensitive database contents can be extracted by the attacker, leading to a significant information disclosure compromise [3, 4].
Mitigation
The vulnerability affects Wow Forms version 2.1 and earlier. A fixed version is not explicitly mentioned in the available references, but the exploit was published in April 2017 [3]. It is recommended to update to a version later than 2.1 if available, or to disable or remove the plugin if a patch is not yet released. Information regarding end-of-life status or inclusion in known exploited vulnerabilities lists is not present in the provided references.
AI Insight generated on Jun 9, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The 'mwpformid' POST parameter is not properly escaped, allowing for SQL injection."
Attack vector
An unauthenticated attacker can exploit this vulnerability by sending a crafted POST request to the admin-ajax.php endpoint with the action set to 'send_mwp_form' [ref_id=1]. The 'mwpformid' parameter in this request is vulnerable to SQL injection, as it is not properly escaped before being used in a database query [ref_id=1]. This allows attackers to inject malicious SQL code to read arbitrary database information.
Affected code
The vulnerability lies within the Wow Forms WordPress Plugin version 2.1. Specifically, the 'mwpformid' POST parameter, when processed via the admin-ajax.php file with the 'send_mwp_form' action, is susceptible to SQL injection due to a lack of proper escaping [ref_id=1].
What the fix does
The advisory does not specify a patch or provide details on how the vulnerability was fixed. It notes that the vulnerability was not fixed at the time of the exploit's release [ref_id=1]. Therefore, the recommended remediation is to update to a version of the Wow Forms plugin that addresses this SQL injection vulnerability.
Preconditions
- inputThe 'mwpformid' POST parameter must be present in the request.
- authThe attacker does not require any authentication.
Reproduction
sqlmap -u "http://server/wp-admin/admin-ajax.php" --data "action=send_mwp_form&arrkey%5B%5D=mwp-field-0&arrkey%5B%5D=mwp-forms-textarea-0&arrval%5B%5D=form2&arrval%5B%5D=rrr&mwpformid=1*" --dbs --threads=10 --random-agent --dbms mysql [ref_id=1]
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.