SQL Injection Vulnerability in Form Vibes Plugin for WordPress
CVE-2024-5325

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Form Vibes – Database Manager For Forms
Vendor: CVE Published:; 12 July 2024

Summary

The Form Vibes plugin for WordPress poses a significant security risk due to a vulnerability that allows SQL Injection through the ‘fv_export_data’ parameter. This issue arises from inadequate escaping of user-supplied input and insufficient preparation of the SQL query. Authenticated users with Subscriber-level access or higher can exploit this vulnerability, enabling them to insert malicious SQL statements into existing queries. Such exploitation can lead to the extraction of sensitive information from the database, compromising user data and potentially leading to further attacks.

Affected Version(s)

Form Vibes – Database Manager for Forms * <= 1.4.10

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3115288/form...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 12, 2024
Vulnerability Reserved
May 24, 2024

Credit

Peter Thaleikis