Skip to main content

WP Forms Connector EUVDEUVD-2026-38661

| CVE-2026-9179 HIGH
SQL Injection (CWE-89)
2026-06-24 Wordfence GHSA-rx79-c7q2-h79q
7.5
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Endpoint is internet-reachable with broken auth (AV:N/AC:L/PR:N/UI:N); read-only ORDER BY SQLi exfiltrates data (C:H) but does not modify or deny service (I:N/A:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 24, 2026 - 06:51 vuln.today
CVE Published
Jun 24, 2026 - 05:33 cve.org
HIGH 7.5

DescriptionCVE.org

The WP Forms Connector plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the /wp-json/wp/v3/post/list REST endpoint in versions up to and including 1.8. This is due to insufficient escaping on the user-supplied 'order' parameter (read directly from $_GET['order'] into $shorting) and the lack of sufficient preparation on the existing SQL query in the listPost() function, where the value is concatenated unquoted into the ORDER BY clause and executed via $wpdb->get_results() without $wpdb->prepare(). The endpoint is registered with permission_callback '__return_true' and performs only a broken header-based check that validates the supplied 'Username' corresponds to an administrator account while never verifying the 'Password'. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

AnalysisAI

SQL injection in the WP Forms Connector WordPress plugin (versions up to and including 1.8) allows unauthenticated remote attackers to extract sensitive database contents via the 'order' parameter of the /wp-json/wp/v3/post/list REST endpoint. The endpoint is exposed with permission_callback '__return_true' and only validates a 'Username' header against an administrator account without verifying the corresponding 'Password', making the authentication check trivially bypassable. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Discover WordPress site with plugin
Delivery
Enumerate admin username via REST API
Exploit
Craft GET to /wp-json/wp/v3/post/list with admin Username header
Execution
Inject SQL payload via 'order' parameter
Persist
Database returns extracted rows in response
Impact
Exfiltrate password hashes and secrets

Vulnerability AssessmentAI

Exploitation Requires that the WP Forms Connector plugin (versions ≤1.8) is installed and active on a reachable WordPress site, that the /wp-json/wp/v3/post/list REST endpoint is exposed to the attacker (default for public WordPress sites), and that the attacker knows or can enumerate a valid administrator username - which is typically trivial because WordPress exposes usernames through /wp-json/wp/v2/users and author archives by default. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5 High) accurately reflects a network-exploitable, unauthenticated, low-complexity information-disclosure flaw with no integrity or availability impact - consistent with read-only SQLi extracting password hashes, secret keys, and PII from wp_users and wp_options. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker enumerates an administrator username via /wp-json/wp/v2/users or the author archive, then sends a GET request to /wp-json/wp/v3/post/list with a Username header naming that admin (any Password value, since it is not checked) and an 'order' query parameter containing a UNION- or time-based SQL payload. The injected SQL executes inside the ORDER BY clause of $wpdb->get_results(), allowing the attacker to exfiltrate wp_users password hashes, session tokens, and secret_key options for offline cracking or session hijack. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed - the input data does not name a fixed plugin release, so administrators should upgrade to the latest WP Forms Connector version greater than 1.8 once published and monitor the Wordfence advisory (wordfence.com/threat-intel/vulnerabilities/id/2cd53590-ded1-4e68-a9a3-aa1d2d880b80) and the plugin trac for a tagged release. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all WordPress installations using WP Forms Connector versions ≤1.8; disable the plugin immediately or implement firewall rules blocking /wp-json/wp/v3/post/list endpoint access. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38661 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy