Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Endpoint is internet-reachable with broken auth (AV:N/AC:L/PR:N/UI:N); read-only ORDER BY SQLi exfiltrates data (C:H) but does not modify or deny service (I:N/A:N).
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The WP Forms Connector plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the /wp-json/wp/v3/post/list REST endpoint in versions up to and including 1.8. This is due to insufficient escaping on the user-supplied 'order' parameter (read directly from $_GET['order'] into $shorting) and the lack of sufficient preparation on the existing SQL query in the listPost() function, where the value is concatenated unquoted into the ORDER BY clause and executed via $wpdb->get_results() without $wpdb->prepare(). The endpoint is registered with permission_callback '__return_true' and performs only a broken header-based check that validates the supplied 'Username' corresponds to an administrator account while never verifying the 'Password'. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Articles & Coverage 1
AnalysisAI
SQL injection in the WP Forms Connector WordPress plugin (versions up to and including 1.8) allows unauthenticated remote attackers to extract sensitive database contents via the 'order' parameter of the /wp-json/wp/v3/post/list REST endpoint. The endpoint is exposed with permission_callback '__return_true' and only validates a 'Username' header against an administrator account without verifying the corresponding 'Password', making the authentication check trivially bypassable. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires that the WP Forms Connector plugin (versions ≤1.8) is installed and active on a reachable WordPress site, that the /wp-json/wp/v3/post/list REST endpoint is exposed to the attacker (default for public WordPress sites), and that the attacker knows or can enumerate a valid administrator username - which is typically trivial because WordPress exposes usernames through /wp-json/wp/v2/users and author archives by default. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5 High) accurately reflects a network-exploitable, unauthenticated, low-complexity information-disclosure flaw with no integrity or availability impact - consistent with read-only SQLi extracting password hashes, secret keys, and PII from wp_users and wp_options. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker enumerates an administrator username via /wp-json/wp/v2/users or the author archive, then sends a GET request to /wp-json/wp/v3/post/list with a Username header naming that admin (any Password value, since it is not checked) and an 'order' query parameter containing a UNION- or time-based SQL payload. The injected SQL executes inside the ORDER BY clause of $wpdb->get_results(), allowing the attacker to exfiltrate wp_users password hashes, session tokens, and secret_key options for offline cracking or session hijack. … |
| Remediation | Upstream fix available (PR/commit); released patched version not independently confirmed - the input data does not name a fixed plugin release, so administrators should upgrade to the latest WP Forms Connector version greater than 1.8 once published and monitor the Wordfence advisory (wordfence.com/threat-intel/vulnerabilities/id/2cd53590-ded1-4e68-a9a3-aa1d2d880b80) and the plugin trac for a tagged release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all WordPress installations using WP Forms Connector versions ≤1.8; disable the plugin immediately or implement firewall rules blocking /wp-json/wp/v3/post/list endpoint access. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Wp Forms Connector
View allSame weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38661
GHSA-rx79-c7q2-h79q