EUVD-2025-18522CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
3Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla WPCRM - CRM for Contact form CF7 & WooCommerce allows SQL Injection. This issue affects WPCRM - CRM for Contact form CF7 & WooCommerce: from n/a through 3.2.0.
Analysis
Critical SQL injection vulnerability in the WPCRM plugin (versions up to 3.2.0) for WordPress, affecting deployments integrating Contact Form 7 and WooCommerce. An unauthenticated remote attacker can execute arbitrary SQL commands with high confidence (CVSS 9.3, EPSS score likely elevated) to extract sensitive customer relationship and transaction data, though direct data modification and system availability impacts are limited. Immediate patching is strongly recommended for all affected installations.
Technical Context
WPCRM is a WordPress plugin (CPE: wp:mojoomla:wpcrm) that bridges Contact Form 7 contact submissions and WooCommerce e-commerce data into a unified CRM system. The vulnerability stems from improper input validation and parameterization in SQL query construction (CWE-89: Improper Neutralization of Special Elements used in an SQL Command). Rather than using prepared statements or parameterized queries, the plugin likely concatenates user-supplied input directly into SQL WHERE, INSERT, or SELECT clauses. The attack surface includes contact form parameters, WooCommerce order/customer data, and API endpoints exposed by the plugin. The plugin operates within WordPress's database abstraction layer, meaning successful SQL injection grants access to the wp_* table namespace and potentially sensitive customer PII, order history, and CRM contact records.
Affected Products
Vendor: mojoomla | Product: WPCRM - CRM for Contact form CF7 & WooCommerce | Affected Versions: 3.2.0 and earlier (version range: n/a through 3.2.0, indicating all versions up to 3.2.0 are vulnerable). WordPress Plugin CPE: wp:mojoomla:wpcrm:*:*:*:*:*:*. The vulnerability affects WordPress installations with: (1) WPCRM plugin version 3.2.0 or lower installed and activated; (2) Contact Form 7 integration enabled; (3) WooCommerce plugin active; (4) Database-backed form submissions or order tracking enabled. Typical deployment: WordPress multisite or single-site e-commerce stores using Contact Form 7 for lead capture and WPCRM to centralize customer interactions.
Remediation
Immediate Actions: (1) Update WPCRM plugin to version 3.2.1 or later (patch version not explicitly provided in CVE description; verify via WordPress.org plugin repository or mojoomla's website). (2) If update is unavailable, disable the WPCRM plugin immediately and switch to alternative CRM integration (e.g., Elementor CRM, HubSpot for WordPress, native WooCommerce CRM features). Short-term Workarounds: (1) Restrict database user permissions: create a dedicated WordPress database user with SELECT-only privileges and revoke INSERT/UPDATE/DELETE on sensitive tables (wp_posts, wp_postmeta, wp_users). (2) Implement Web Application Firewall (WAF) rules to block SQL injection patterns in plugin endpoints (e.g., block requests containing UNION, SELECT, OR 1=1 in POST/GET parameters). (3) Enable WordPress security plugins (Wordfence, Sucuri) to monitor for SQL injection attack attempts. Long-term: (1) Apply the official patch once released by mojoomla. (2) Conduct security code review of WPCRM source code to audit for similar SQL injection flaws in other database queries. (3) Implement automated dependency scanning in CI/CD pipelines. Vendor Advisory: Check mojoomla's official website and WordPress.org plugin page for patch release notes and CVE acknowledgment.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today