Skip to main content

Views for WPForms CVE-2026-42742

| EUVDEUVD-2026-29451 HIGH
SQL Injection (CWE-89)
2026-05-12 Patchstack GHSA-7mfx-xwxr-fq6r
8.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 11:31 vuln.today
CVE Published
May 12, 2026 - 11:02 nvd
HIGH 8.5

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aman Views for WPForms views-for-wpforms-lite allows Blind SQL Injection.This issue affects Views for WPForms: from n/a through <= 3.4.6.

AnalysisAI

Blind SQL injection in Views for WPForms WordPress plugin (versions ≤3.4.6) allows authenticated low-privilege attackers with network access to extract sensitive database contents. The vulnerability enables cross-scope compromise with high confidentiality impact and limited availability disruption. Patchstack reported this SQLi flaw; no public exploit identified at time of analysis. EPSS data not available, suggesting lower immediate exploitation probability, though the low attack complexity (AC:L) makes exploitation straightforward once authenticated access is obtained.

Technical ContextAI

This is a blind SQL injection vulnerability (CWE-89) affecting the Views for WPForms WordPress plugin by Aman. The flaw stems from improper neutralization of SQL special characters in user-controlled input, allowing attackers to inject malicious SQL commands into database queries. Blind SQLi differs from direct SQLi in that attackers cannot see query results directly but can infer database contents through timing attacks, boolean-based logic, or error messages. The vulnerability exists in the views-for-wpforms-lite plugin component (CPE: cpe:2.3:a:aman:views_for_wpforms:*:*:*:*:*:*:*:*), which provides enhanced viewing capabilities for WPForms submissions. The WordPress plugin architecture allows authenticated users to interact with form data views, and insufficient input validation in these interactions creates the SQL injection vector. The Scope:Changed (S:C) CVSS metric indicates the vulnerability can impact resources beyond the plugin itself, potentially compromising the entire WordPress database and connected components.

RemediationAI

Security teams should immediately check for patched versions by consulting the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/views-for-wpforms-lite/vulnerability/wordpress-views-for-wpforms-plugin-3-4-6-sql-injection-vulnerability and the WordPress plugin repository for Views for WPForms updates beyond version 3.4.6. No vendor-released patch version is confirmed in provided data at time of analysis. If no patch is available, implement these compensating controls: (1) Restrict plugin access to administrator accounts only by removing Subscriber/Contributor/Editor capabilities to access Views for WPForms features through WordPress role management - this eliminates the PR:L attack vector but may break legitimate multi-user workflows; (2) Deploy web application firewall rules to detect and block SQL injection patterns in requests to the plugin's endpoints - WAF rules may generate false positives requiring tuning; (3) Enable WordPress database query logging and monitor for anomalous SELECT statements with timing delays or boolean logic indicative of blind SQLi attempts; (4) As a last resort, deactivate and remove the plugin if view functionality is non-critical - this eliminates risk but removes all plugin features. Prioritize vendor patch deployment once available over workarounds.

Share

CVE-2026-42742 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy