WP Forms Connector <= 1.8 - Unauthenticated SQL Injection via 'order' Parameter
Description
The WP Forms Connector plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the /wp-json/wp/v3/post/list REST endpoint in versions up to and including 1.8. This is due to insufficient escaping on the user-supplied 'order' parameter (read directly from $_GET['order'] into $shorting) and the lack of sufficient preparation on the existing SQL query in the listPost() function, where the value is concatenated unquoted into the ORDER BY clause and executed via $wpdb->get_results() without $wpdb->prepare(). The endpoint is registered with permission_callback '__return_true' and performs only a broken header-based check that validates the supplied 'Username' corresponds to an administrator account while never verifying the 'Password'. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <=1.8
Patches
Vulnerability mechanics
Root cause
"Missing input sanitization on the `order` parameter and lack of parameterized queries allow SQL injection in the `listPost()` function."
Attack vector
An unauthenticated attacker can send a GET request to the `/wp/v3/post/list` REST endpoint with a malicious `order` parameter. Because the endpoint's `permission_callback` is `'__return_true'` and the header-based authentication only checks that the `Username` header matches an administrator account (without verifying the `Password`), the attacker bypasses authentication. The unsanitized `order` value is injected directly into the `ORDER BY` clause, enabling SQL injection that can be leveraged to extract sensitive database contents.
Affected code
The vulnerability resides in the `listPost()` method of the `wpCommonAPI` class (registered at `/wp/v3/post/list`). The `$shorting` variable is populated directly from `$_GET['order']` and concatenated unquoted into the `ORDER BY` clause of a SQL query executed via `$wpdb->get_results()` without using `$wpdb->prepare()`. Additionally, the endpoint's `permission_callback` is set to `'__return_true'`, and the header-based authentication check validates only that the supplied `Username` corresponds to an administrator account without verifying the `Password`.
What the fix does
The advisory does not provide a patch. To remediate, the `$shorting` value must be validated against a whitelist of allowed sort directions (e.g., `ASC` or `DESC`) and the SQL query should use `$wpdb->prepare()` with a placeholder instead of direct concatenation. Additionally, the authentication logic must be corrected to actually verify the password via `wp_signon()` or `wp_check_password()` rather than merely checking that a username exists.
Preconditions
- configThe WP Forms Connector plugin version 1.8 or earlier must be installed and active.
- authThe attacker must know or guess a valid administrator username to supply in the `Username` header.
- networkThe attacker must be able to send HTTP requests to the WordPress REST API endpoint `/wp/v3/post/list`.
- inputThe attacker supplies a crafted `order` parameter containing SQL injection payloads.
Generated on Jun 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- plugins.trac.wordpress.org/browser/wp-forms-connector/tags/1.8/WP-Forms-Connector.phpmitre
- plugins.trac.wordpress.org/browser/wp-forms-connector/tags/1.8/WP-Forms-Connector.phpmitre
- plugins.trac.wordpress.org/browser/wp-forms-connector/tags/1.8/WP-Forms-Connector.phpmitre
- www.wordfence.com/threat-intel/vulnerabilities/id/2cd53590-ded1-4e68-a9a3-aa1d2d880b80mitre
News mentions
0No linked articles in our index yet.