Skip to main content

Persian Gravity Forms CVE-2026-61955

| EUVDEUVD-2026-43435 HIGH
SQL Injection (CWE-89)
2026-07-13 Patchstack
7.6
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.6 HIGH
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
4.9 MEDIUM

Network-reachable blind SQLi needs an existing high-privilege account (PR:H, AC:L); read-oriented data disclosure gives C:H with I:N/A:N, and scope stays unchanged absent evidence of cross-system impact.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 10:21 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
HIGH 7.6

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Hannan گرویتی فرم فارسی persian-gravity-forms allows Blind SQL Injection.This issue affects گرویتی فرم فارسی: from n/a through <= 3.0.2.

AnalysisAI

Blind SQL injection in the persian-gravity-forms WordPress plugin (گرویتی فرم فارسی) affects all versions up to and including 3.0.2, allowing a high-privilege authenticated attacker to inject arbitrary SQL through unsanitized input and blindly extract database contents. The flaw was reported by Patchstack and carries a CVSS 7.6 due to a changed scope and high confidentiality impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as high-privilege WordPress user
Delivery
Access vulnerable plugin parameter
Exploit
Inject blind SQL payload
Execution
Infer data via boolean/time responses
Impact
Exfiltrate database contents

Vulnerability AssessmentAI

Exploitation Exploitation requires a high-privilege authenticated WordPress session (CVSS PR:H), so the attacker must already possess administrator-level or equivalently elevated access to the target site before reaching the vulnerable persian-gravity-forms code path; this is the primary factor limiting real-world exploitation. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L) indicates a network-reachable, low-complexity attack requiring high privileges and no user interaction, with a scope change and high confidentiality impact - a base score of 7.6 (High). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained a high-privilege WordPress account - for example via credential theft, phishing of an administrator, or session hijacking - submits crafted input to the vulnerable plugin parameter, causing boolean- or time-based blind SQL injection. By iterating inference queries, they exfiltrate sensitive database contents such as password hashes, secret keys, and user PII. …
Remediation No vendor-released patch version was identified in the provided data, so the exact fixed release is not confirmed - consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/persian-gravity-forms/vulnerability/wordpress-ro-t-frm-f-rs-plugin-3-0-2-sql-injection-vulnerability?_s_id=cve) for any release after 3.0.2 and upgrade to it as the primary fix. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, audit all WordPress installations to identify those running Persian Gravity Forms and document installed versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-61955 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy