CVE-2018-25347
No known patch is available for this vulnerability.
The affected plugin has been removed from the WordPress.org directory (reason: Author Request), and no patched version is being distributed through the official directory. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.
Description
The WordPress Contact Form Maker Plugin <=1.12.20 has SQL injection flaws in AJAX actions allowing authenticated attackers to read or modify database contents via crafted parameters.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The WordPress Contact Form Maker Plugin <=1.12.20 has SQL injection flaws in AJAX actions allowing authenticated attackers to read or modify database contents via crafted parameters.
Vulnerability
The WordPress Contact Form Maker Plugin versions 1.12.20 and prior contain multiple SQL injection vulnerabilities. The flaws reside in the FormMakerSQLMapping_fmc and generete_csv_fmc AJAX actions, accessible via wp-admin/admin-ajax.php. Attackers inject malicious SQL code through the 'name' parameter in the FormMakerSQLMapping_fmc action and the 'search_labels' parameter in the generete_csv_fmc action. The plugin is now closed and removed from the official WordPress directory as of June 2023, with no patched version being distributed [1][2][3][4].
Exploitation
An attacker must be an authenticated WordPress user with permission to access the plugin's settings pages. This includes administrators, but also any other user granted such access. The attacker crafts a form submission (e.g., via an HTML/JavaScript snippet) that sends a POST request to the vulnerable AJAX actions. The malicious payload is embedded in the name or search_labels parameters, such as wp_users WHERE 42=42 AND SLEEP(42)--; or (SELECT * FROM (SELECT(SLEEP(42)))XXX). No additional network position is required beyond being logged in to the WordPress site [1].
Impact
Successful exploitation allows the attacker to execute arbitrary SQL commands against the WordPress database. This can lead to the extraction of sensitive information (e.g., user credentials, private data), modification of database contents, or privilege escalation. The impact is limited by the attacker's existing authentication, but the vulnerabilities enable the attacker to bypass intended data access controls and achieve higher privilege levels than assigned [1][3].
Mitigation
The plugin has been permanently closed on WordPress.org as of June 15, 2023, and is no longer available for download. No official patched version exists. Users who have the plugin installed should uninstall it immediately and seek an alternative contact form plugin. There are no workarounds available within the plugin itself. This vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [2][4].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=1.12.20
Patches
0contact-form-makerThis plugin has been removed from the WordPress.org directory on 2023-06-15 (reason: Author Request). No patched version is being distributed through the official directory. Users who have it installed should uninstall it.
Source: api.wordpress.org · directory page
Vulnerability mechanics
Root cause
"Missing input sanitization in the 'name' and 'search_labels' parameters allows direct SQL injection into database queries."
Attack vector
An authenticated attacker who can access the plugin settings page (administrator or any authorized user) sends a crafted POST request to `/wp-admin/admin-ajax.php`. For the first vector, the `action=FormMakerSQLMapping_fmc&task=db_table_struct` is used with a `name` parameter containing SQL injection payloads such as `wp_users WHERE 42=42 AND SLEEP(42)--`. For the second vector, the `action=generete_csv_fmc` is used with a `search_labels` parameter containing subquery-based payloads like `(SELECT * FROM (SELECT(SLEEP(42)))XXX)`. Both parameters lack sanitization, allowing arbitrary SQL commands to be executed against the database [ref_id=1].
Affected code
The vulnerabilities reside in the WordPress Contact Form Maker plugin version 1.12.20 and below. Two AJAX actions are affected: `FormMakerSQLMapping_fmc` (task `db_table_struct`) and `generete_csv_fmc`. The `name` parameter in the first action and the `search_labels` parameter in the second action are passed unsanitized into SQL queries [ref_id=1].
What the fix does
The exploit-db entry does not include a patch or vendor advisory. The recommended remediation is to upgrade to a version newer than 1.12.20, as the vulnerability affects version 1.12.20 and below. No official fix details are published in the provided reference [ref_id=1].
Preconditions
- authAttacker must be authenticated as a user with access to the plugin settings page (administrator or other authorized role)
- networkAttacker must be able to send POST requests to the WordPress admin-ajax.php endpoint
- configThe vulnerable plugin version must be 1.12.20 or below
- inputAttacker supplies malicious SQL payloads via the 'name' or 'search_labels' POST parameters
Reproduction
1. Log in to WordPress as an administrator (or a user authorized to access the plugin settings). 2. Open the browser console and execute the following HTML/JavaScript snippet for PoC 1: `
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.