CVE-2018-25347 in Contact Form Maker Plugin
Summary
by MITRE • 05/23/2026
WordPress Contact Form Maker Plugin 1.12.20 contains SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries through the FormMakerSQLMapping and generete_csv_fmc AJAX actions. Attackers can inject malicious SQL code via the 'name' and 'search_labels' parameters to extract sensitive database information or escalate privileges.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/24/2026
The WordPress Contact Form Maker plugin version 1.12.20 contains critical sql injection vulnerabilities that pose significant security risks to affected systems. These vulnerabilities exist within the plugin's ajax handling mechanisms, specifically targeting the FormMakerSQLMapping and generete_csv_fmc endpoints. The flaw allows authenticated attackers to execute malicious sql commands by manipulating the 'name' and 'search_labels' parameters, which are improperly sanitized before being incorporated into database queries. This vulnerability represents a serious weakness in the plugin's input validation and query construction processes, creating pathways for unauthorized data access and potential privilege escalation.
The technical exploitation of these sql injection flaws occurs through the plugin's ajax actions, which are designed to handle dynamic form data processing and csv generation functionalities. When attackers submit crafted payloads through the 'name' parameter in FormMakerSQLMapping or the 'search_labels' parameter in generete_csv_fmc, the plugin fails to properly escape or validate these inputs before incorporating them into sql statements. This allows malicious actors to inject arbitrary sql code that can manipulate the underlying database structure, extract sensitive information, or modify existing records. The authenticated nature of the attack means that an attacker must first obtain valid user credentials, but once authenticated, they can leverage these vulnerabilities to gain deeper access to the system's data.
The operational impact of these vulnerabilities extends beyond simple data theft, as they provide attackers with potential pathways for privilege escalation and persistent access to affected systems. Successful exploitation can enable attackers to extract user credentials, database schema information, and other sensitive data stored within the wordpress installation. The vulnerabilities affect the core functionality of the contact form plugin while potentially compromising the entire wordpress platform, as database access often provides attackers with additional attack surface. Organizations running vulnerable versions of this plugin face significant risk of data breaches, system compromise, and potential regulatory compliance violations.
Organizations should immediately update to the latest version of the Contact Form Maker plugin to address these sql injection vulnerabilities, as no patch was available for version 1.12.20. System administrators should implement additional security controls including web application firewalls, input validation mechanisms, and regular security audits to monitor for exploitation attempts. The vulnerabilities align with common weakness enumerations such as cwe-89 sql injection and may map to attack techniques described in the attack tree framework under privilege escalation and data access categories. Additionally, organizations should conduct thorough vulnerability assessments to identify any other instances of similar vulnerabilities within their wordpress installations and implement comprehensive monitoring solutions to detect potential exploitation attempts.