Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in hassantafreshi Easy Form Builder easy-form-builder allows Blind SQL Injection.This issue affects Easy Form Builder: from n/a through <= 4.0.6.
AnalysisAI
Blind SQL injection in the Easy Form Builder WordPress plugin (by hassantafreshi), affecting all versions up to and including 4.0.6, lets remote unauthenticated attackers inject crafted SQL into backend database queries. With a CVSS of 9.3 and a scope-changed vector, a successful attack can read sensitive data across the database and impact availability. There is no public exploit identified at time of analysis, and the EPSS score is very low (0.03%, 9th percentile), indicating no observed mass exploitation yet despite the high severity rating.
Technical ContextAI
Easy Form Builder is a WordPress plugin used to create custom forms; like most WordPress plugins it interacts with the site's underlying MySQL/MariaDB database through PHP. The root cause is CWE-89, improper neutralization of special elements in an SQL command, meaning user-supplied input reaches a SQL statement without proper parameterization or escaping. The 'blind' designation indicates the injection does not return data directly in responses, so an attacker infers results through boolean/time-based inference. No CPE strings were provided in the source data; affected scope is identified via the ENISA EUVD record (EUVD-2026-32196) and the Patchstack advisory as the WordPress plugin slug easy-form-builder.
RemediationAI
No vendor-released patch version is identified in the available data - the affected range is listed as up to and including 4.0.6 with no fixed version specified, so administrators should monitor the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/easy-form-builder/vulnerability/wordpress-easy-form-builder-plugin-4-0-6-sql-injection-vulnerability?_s_id=cve) and the WordPress plugin repository for a release above 4.0.6 and upgrade as soon as one is published. Until a fixed version is available, consider deactivating and removing the Easy Form Builder plugin (trade-off: any forms it provides will stop functioning) or restricting access to the affected form-handling endpoints. A web application firewall with SQL injection rules (such as Patchstack's vPatch or an equivalent WAF) can provide virtual patching to block injection payloads, though WAF rules may be bypassable and can produce false positives on legitimate form input. Audit database accounts used by WordPress to enforce least privilege, limiting the blast radius of any successful injection.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32196
GHSA-8rj8-4rfm-p4j9