CVE-2025-9441

The iATS Online Forms plugin for WordPress is vulnerable to time-based SQL injection in all versions up to and including 1.2. The vulnerability exists because the plugin passes user-supplied input from the 'order' parameter into SQL queries without sufficient escaping or preparation [1]. This allows attackers to manipulate the query structure.

Exploitation requires authenticated access with at least Contributor-level permissions. The attacker can inject additional SQL statements by crafting malicious input in the 'order' parameter. No other prerequisites or network position is required beyond standard WordPress user authentication.

A successful attack enables extraction of sensitive information from the database, including but not limited to user credentials and other confidential data. The time-based nature of the injection allows attackers to infer data through delayed responses, bypassing common detection mechanisms.

The plugin has been closed as of August 27, 2025, due to this security issue and is no longer available for download [1]. Users who have installed the plugin should remove it immediately and consider alternative solutions. No patched version exists.