WordPress Contact Form Generator Plugin <= 2.6.0 is vulnerable to SQL Injection
CVE-2023-35911

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Contact Form Generator : Creative Form Builder For WordPress
Vendor: CVE Published:; 6 November 2023

Summary

An SQL Injection vulnerability has been identified in the Creative Solutions Contact Form Generator, a popular form-building plugin for WordPress. This flaw allows attackers to manipulate SQL queries by improperly neutralizing special elements used in the SQL command. As a result, unauthorized access to sensitive data could be exploited. Users of the Contact Form Generator from version n/a through 2.6.0 should take immediate action to secure their installations.

Affected Version(s)

Contact Form Generator : Creative form builder for WordPress <= 2.6.0

References

https://patchstack.com/database/vulnerability/contact-for...

vdb-entry

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 6, 2023
Vulnerability Reserved
Jun 20, 2023

Credit

Emili Castells (Patchstack Alliance)