WordPress Form Maker Plugin 1.12.24 SQL Injection via admin-ajax.php
Description
WordPress Form Maker Plugin 1.12.24 and below contains SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries by injecting SQL code through the FormMakerSQLMapping and generete_csv actions. Attackers can submit POST requests with malicious SQL payloads in the name and search_labels parameters to extract, modify, or escalate privileges within the WordPress database.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated SQL injection in WordPress Form Maker plugin ≤1.12.24 allows attackers to extract, modify, or escalate privileges via crafted POST requests.
Vulnerability
The WordPress Form Maker plugin versions 1.12.24 and below contain SQL injection vulnerabilities in the FormMakerSQLMapping and generete_csv actions accessible via admin-ajax.php [1][2]. Authenticated attackers can inject malicious SQL code through the name parameter in the FormMakerSQLMapping action and the search_labels parameter in the generete_csv action [1]. The vulnerable code does not properly sanitize these inputs before including them in database queries [2].
Exploitation
An attacker must be authenticated with at least the user role required to access the plugin settings page; the vendor advisory indicates that even non-administrator users who can access the plugin admin pages can exploit the issue [1]. The PoC demonstrates submitting a POST request to wp-admin/admin-ajax.php with the action parameter set to either FormMakerSQLMapping or generete_csv and the malicious payload placed in the corresponding parameter (name or search_labels) [1]. The attacker can use time-based blind SQL injection techniques (e.g., SLEEP()) to extract data [1]. No other prerequisite conditions are required.
Impact
Successful exploitation allows an attacker to execute arbitrary SQL commands on the WordPress database. This can lead to extraction of sensitive data (e.g., user credentials), modification of database content, or privilege escalation within the WordPress environment [1][2]. The attacker gains the ability to read and potentially alter any table the database user can access, which typically includes all WordPress tables [2].
Mitigation
The vendor released a fixed version after being contacted, but the specific patched version number is not explicitly stated in the available references [1][2]. Users should update the Form Maker plugin to the latest available version from the WordPress plugin repository. If an update is not possible, restrict access to the plugin admin pages to only the most trusted administrator accounts as a workaround. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=1.12.24
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- www.exploit-db.com/exploits/44853mitreexploit
- www.vulncheck.com/advisories/wordpress-form-maker-plugin-sql-injection-via-admin-ajax-phpmitrethird-party-advisory
News mentions
0No linked articles in our index yet.