CVE-2018-25346

Name of the Vulnerable Software and Affected Versions WordPress Form Maker Plugin versions prior to 1.12.25

Description Authenticated attackers can manipulate database queries by injecting SQL code through the 'FormMakerSQLMapping' and 'generete csv' actions. This is achieved by submitting POST requests to the '/admin-ajax.php' endpoint containing malicious SQL payloads in the name and search labels parameters. Such actions may allow the extraction of data, modification of records, or privilege escalation within the WordPress database.

Recommendations Update to a version newer than 1.12.24. As a temporary workaround, restrict access to the '/admin-ajax.php' endpoint or limit the use of the name and search labels parameters within the 'FormMakerSQLMapping' and 'generete csv' actions.