SQL Injection Vulnerability in WordPress Form Maker Plugin by WP Gear
CVE-2018-25346

7.1HIGH

Key Information:

Vendor: WordPress
Status: Form Maker
Vendor: CVE Published:; 23 May 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2018-25346?

The Form Maker Plugin for WordPress versions up to 1.12.24 contains a security flaw that allows authenticated users to perform SQL injection attacks. By exploiting the 'FormMakerSQLMapping' and 'generate_csv' actions, attackers can submit malicious SQL payloads through the 'name' and 'search_labels' parameters in POST requests. This vulnerability enables the extraction, modification, and escalation of privileges within the WordPress database, posing a significant risk to site integrity and user data. Site administrators are advised to apply patches and update the plugin to mitigate potential breaches.

Affected Version(s)

Form Maker 0 <= 1.12.24

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2018-25346 - Proof of Concept

References

https://www.exploit-db.com/exploits/44853

exploit

https://www.vulncheck.com/advisories/wordpress-form-maker...

third-party-advisory

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
May 23, 2026
👾
Exploit known to exist
May 23, 2026
Vulnerability published
May 23, 2026
Vulnerability Reserved
May 23, 2026

Credit

Neven Biruski

CVE-2018-25346 Data

JSON