VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 8, 2021· Updated Aug 3, 2024

Wow Forms <= 3.1.3 - Admin+ SQL Injection

CVE-2021-24628

Description

The Wow Forms WordPress plugin through 3.1.3 is vulnerable to authenticated SQL injection via the 'did' parameter in the delete form functionality.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The Wow Forms WordPress plugin through 3.1.3 is vulnerable to authenticated SQL injection via the 'did' parameter in the delete form functionality.

Vulnerability

The Wow Forms WordPress plugin through version 3.1.3 fails to sanitize or escape the did GET parameter before using it in a SQL statement within the delete form functionality. The vulnerable code is located in main.php at line 13, where the parameter is directly concatenated into a DELETE query: $wpdb->query("delete from " . $data . " where id=" . $delid);. This allows an authenticated attacker with administrator-level access to inject arbitrary SQL [1][2].

Exploitation

An attacker must have administrator privileges on the WordPress site. The exploit is performed by sending a crafted GET request to /wp-admin/admin.php?page=mwp-forms&info=del&did=. The payload can include time-based blind SQL injection techniques, such as 1 AND (SELECT 9063 FROM (SELECT(SLEEP(5)))YGWC), to extract information or manipulate the database [1]. No additional user interaction is required beyond the attacker's own actions.

Impact

Successful exploitation allows the attacker to execute arbitrary SQL commands on the WordPress database. This can lead to data exfiltration (e.g., user credentials, sensitive information), modification or deletion of database content, and potentially privilege escalation or complete site compromise. The impact is limited to the database layer, but given the attacker already has admin access, the injection can bypass intended restrictions [1][2].

Mitigation

As of the latest references, no official fix has been released for this vulnerability. The plugin was closed on June 18, 2021, and remains unavailable in the WordPress plugin repository [1][2]. Users are strongly advised to remove or disable the Wow Forms plugin immediately and migrate to an alternative form solution. No workaround is available that does not involve code changes.

References
  1. wp-plugin : mwp-forms | Code Vigilant : to err is human.. To fix is Humanity
  2. Wow Forms <= 3.1.3 - Admin+ SQL Injection

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The `did` GET parameter is directly concatenated into a SQL DELETE statement without sanitization or escaping."

Attack vector

An authenticated administrator can exploit the delete form functionality by sending a crafted GET request to `/wp-admin/admin.php?page=mwp-forms&info=del&did=1 AND (SELECT 9063 FROM (SELECT(SLEEP(5)))YGWC)`. The `did` parameter is injected directly into the SQL query, enabling time-based blind SQL injection [ref_id=1]. The attacker must have administrator-level access to the WordPress dashboard.

Affected code

The vulnerability is in `main.php` line 13 of the Wow Forms (mwp-forms) plugin. The `$_GET["did"]` parameter is taken directly from user input and concatenated into a `DELETE` SQL statement without any sanitization, validation, or escaping.

What the fix does

The advisory does not include a patch diff. To remediate, the plugin should use a prepared statement or `$wpdb->prepare()` with a placeholder for the `did` parameter, and validate that the value is an integer before using it in the query. The advisory notes the plugin was closed on June 18, 2021, and no fixed version has been published.

Preconditions

  • authAttacker must be logged in as an Administrator in WordPress.
  • configThe Wow Forms (mwp-forms) plugin version 3.1.3 (or lower) must be installed and active.
  • networkAttacker must have network access to the WordPress admin dashboard.

Reproduction

Send a GET request to `/wp-admin/admin.php?page=mwp-forms&info=del&did=1 AND (SELECT 9063 FROM (SELECT(SLEEP(5)))YGWC)` while authenticated as an administrator. The server will delay the response by approximately 5 seconds if the injection succeeds [ref_id=1].

Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.