PatchSiren cyber security CVE debrief
CVE-2018-25347 web-dorado CVE debrief
CVE-2018-25347 documents SQL injection vulnerabilities in WordPress Contact Form Maker Plugin version 1.12.20. The vulnerability allows authenticated attackers to manipulate database queries through two specific AJAX actions: FormMakerSQLMapping and generete_csv_fmc. Attack vectors include the 'name' and 'search_labels' parameters, which lack proper sanitization before being incorporated into SQL statements. Successful exploitation could enable sensitive database information extraction or privilege escalation. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no required user interaction, and low privileges required, with high confidentiality impact and low integrity impact. The vulnerability is classified as CWE-89 (SQL Injection). The CVE was published on 2026-05-23 and last modified on 2026-05-26, with current status marked as 'Deferred' in the NVD. No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- web-dorado
- Product
- Contact Form Maker
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-23
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-23
- Advisory updated
- 2026-05-26
Who should care
WordPress site administrators using Contact Form Maker Plugin; security teams monitoring WordPress plugin vulnerabilities; web application firewall operators; database administrators responsible for WordPress backend security; compliance teams tracking CVE coverage for vulnerability management programs
Technical summary
CVE-2018-25347 is a SQL injection vulnerability (CWE-89) affecting WordPress Contact Form Maker Plugin version 1.12.20. The vulnerability exists in two AJAX action handlers: FormMakerSQLMapping and generete_csv_fmc. Insufficient input sanitization on the 'name' and 'search_labels' parameters allows authenticated attackers to inject arbitrary SQL code. The vulnerability requires low privileges (PR:L) with no user interaction (UI:N) and low attack complexity (AC:L). Impact includes high confidentiality compromise (VC:H) and low integrity compromise (VI:L), with no availability impact. Network-based exploitation is possible (AV:N). The CVSS 4.0 score of 7.1 reflects significant risk due to potential database compromise and privilege escalation capabilities.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Contact Form Maker Plugin to a version newer than 1.12.20; consult the plugin changelog or WordPress plugin repository for patched versions
- Implement Web Application Firewall (WAF) rules to detect and block SQL injection attempts targeting AJAX endpoints containing 'FormMakerSQLMapping' or 'generete_csv_fmc'
- Review and restrict WordPress user roles to enforce principle of least privilege, as exploitation requires authenticated access
- Audit database query logs for anomalous patterns originating from Contact Form Maker Plugin AJAX handlers
- Disable or remove the Contact Form Maker Plugin if patching is not immediately feasible and alternative form solutions are available
- Monitor for unauthorized database access attempts or unexpected privilege changes in WordPress administrative accounts
Evidence notes
Vulnerability affects Contact Form Maker Plugin 1.12.20 specifically. Two distinct AJAX endpoints identified as vulnerable: FormMakerSQLMapping and generete_csv_fmc. Multiple injection points confirmed: 'name' and 'search_labels' parameters. Authentication required for exploitation (PR:L). CVSS 4.0 scoring applied with high confidentiality impact.
Official resources
2026-05-23T19:16:54.723Z