CVE-2019-25734 is a medium-severity vulnerability in Contact Form by WD 1.13.1. The vulnerability is a cross-site request forgery (CSRF) issue combined with local file inclusion, allowing unauthenticated attackers to include arbitrary files by exploiting unsanitized action parameters. Attackers can craft malicious forms targeting the admin-ajax.php endpoint with directory traversal sequences in the GET ac [truncated]
CVE-2018-25347 documents SQL injection vulnerabilities in WordPress Contact Form Maker Plugin version 1.12.20. The vulnerability allows authenticated attackers to manipulate database queries through two specific AJAX actions: FormMakerSQLMapping and generete_csv_fmc. Attack vectors include the 'name' and 'search_labels' parameters, which lack proper sanitization before being incorporated into SQL statemen [truncated]