CVE-2018-25347

HIGH NVD

CVSS Score 7.1

Severity HIGH

Published May 23, 2026

Vendor unknown

Description

WordPress Contact Form Maker Plugin 1.12.20 contains SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries through the FormMakerSQLMapping and generete_csv_fmc AJAX actions. Attackers can inject malicious SQL code via the 'name' and 'search_labels' parameters to extract sensitive database information or escalate privileges.

References

https://wordpress.org/plugins/contact-form-maker/
https://www.exploit-db.com/exploits/44854
https://www.vulncheck.com/advisories/wordpress-contact-form-maker-plugin-sql-injection