CVE-2025-6782

Name of the Vulnerable Software and Affected Versions: GoZen Forms plugin for WordPress versions prior to 1.1.5

Description: The issue allows for SQL Injection due to insufficient escaping on the forms-id parameter of the dirGZActiveForm() function and lack of sufficient preparation on the existing SQL query. This enables unauthenticated attackers to append additional SQL queries into already existing queries, potentially extracting sensitive information from the database.

Recommendations: For versions prior to 1.1.5, update to version 1.1.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the dirGZActiveForm() function until a patch is available. Avoid using the forms-id parameter in the affected function until the issue is resolved.