Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aman Views for WPForms views-for-wpforms-lite allows Blind SQL Injection.This issue affects Views for WPForms: from n/a through <= 3.4.6.
AnalysisAI
Blind SQL injection in Views for WPForms WordPress plugin (versions ≤3.4.6) allows authenticated low-privilege attackers with network access to extract sensitive database contents. The vulnerability enables cross-scope compromise with high confidentiality impact and limited availability disruption. Patchstack reported this SQLi flaw; no public exploit identified at time of analysis. EPSS data not available, suggesting lower immediate exploitation probability, though the low attack complexity (AC:L) makes exploitation straightforward once authenticated access is obtained.
Technical ContextAI
This is a blind SQL injection vulnerability (CWE-89) affecting the Views for WPForms WordPress plugin by Aman. The flaw stems from improper neutralization of SQL special characters in user-controlled input, allowing attackers to inject malicious SQL commands into database queries. Blind SQLi differs from direct SQLi in that attackers cannot see query results directly but can infer database contents through timing attacks, boolean-based logic, or error messages. The vulnerability exists in the views-for-wpforms-lite plugin component (CPE: cpe:2.3:a:aman:views_for_wpforms:*:*:*:*:*:*:*:*), which provides enhanced viewing capabilities for WPForms submissions. The WordPress plugin architecture allows authenticated users to interact with form data views, and insufficient input validation in these interactions creates the SQL injection vector. The Scope:Changed (S:C) CVSS metric indicates the vulnerability can impact resources beyond the plugin itself, potentially compromising the entire WordPress database and connected components.
RemediationAI
Security teams should immediately check for patched versions by consulting the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/views-for-wpforms-lite/vulnerability/wordpress-views-for-wpforms-plugin-3-4-6-sql-injection-vulnerability and the WordPress plugin repository for Views for WPForms updates beyond version 3.4.6. No vendor-released patch version is confirmed in provided data at time of analysis. If no patch is available, implement these compensating controls: (1) Restrict plugin access to administrator accounts only by removing Subscriber/Contributor/Editor capabilities to access Views for WPForms features through WordPress role management - this eliminates the PR:L attack vector but may break legitimate multi-user workflows; (2) Deploy web application firewall rules to detect and block SQL injection patterns in requests to the plugin's endpoints - WAF rules may generate false positives requiring tuning; (3) Enable WordPress database query logging and monitor for anomalous SELECT statements with timing delays or boolean logic indicative of blind SQLi attempts; (4) As a last resort, deactivate and remove the plugin if view functionality is non-critical - this eliminates risk but removes all plugin features. Prioritize vendor patch deployment once available over workarounds.
More in Views For Wpforms
View allThe Views for WPForms - Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to unaut
The Views for WPForms - Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to unaut
The Views for WPForms - Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to unaut
The Views for WPForms - Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to Cross
The Views for WPForms - Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to Cross
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29451
GHSA-7mfx-xwxr-fq6r