WordPress Page Contact <= 1.0 - Authenticated (editor+) SQL Injection
Description
The Orders functionality in the WordPress Page Contact plugin through 1.0 has an order_id parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. The feature is available to low privilege users such as contributors
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- WordPress/Page Contactdescription
- Range: <=1.0
Patches
Vulnerability mechanics
Root cause
"The `wpc_hidden_field` POST parameter is directly concatenated into SQL queries without sanitisation, escaping, or validation."
Attack vector
An attacker with Administrator-level access sends a crafted POST request to `/wp-admin/admin.php?page=wpagecontact-plugin` containing a malicious `wpc_hidden_field` value. The unsanitised value is interpolated directly into a SQL `SELECT` and `DELETE` statement, enabling SQL injection. [ref_id=1]
Affected code
The vulnerability resides in `/wpagecontact.php` at line 307, where the `wpc_hidden_field` POST parameter is directly concatenated into a SQL query without sanitisation, escaping, or validation. The same unsanitised parameter is also used in a DELETE query at line 313. [ref_id=1]
What the fix does
The advisory does not provide a patch diff. To remediate, the plugin must use prepared statements or properly escape the `wpc_hidden_field` parameter with `$wpdb->prepare()` before including it in SQL queries. The developer should also validate that the input is an integer if the `id` column expects numeric values. [ref_id=1]
Preconditions
- authThe attacker must have Administrator-level access to the WordPress site.
- configThe vulnerable plugin must be installed and active.
- networkThe attacker must be able to send POST requests to the admin page.
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- codevigilant.com/disclosure/2021/wp-plugin-wpagecontact/mitrex_refsource_MISC
- wpscan.com/vulnerability/a87040c1-58fc-4bf7-8bfa-0b9712a62ba8mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.