SQL Injection Vulnerability in WP Forms Connector for WordPress
CVE-2026-9179

7.5HIGH

Key Information:

Vendor: WordPress
Status: WP Forms Connector
Vendor: CVE Published:; 24 June 2026

What is CVE-2026-9179?

The WP Forms Connector plugin for WordPress exhibits vulnerabilities due to insufficient input validation and escaping in its '/wp-json/wp/v3/post/list' REST endpoint. An attacker can manipulate the 'order' parameter, injecting malicious SQL queries that could expose sensitive database information. This vulnerability arises from a lack of prepared statements and insecure handling of user inputs. Furthermore, the inadequate authentication checks allow unauthenticated users to exploit this weakness, exacerbating the risk to WordPress installations. Users should promptly update to the latest version to mitigate this risk.

Affected Version(s)

WP Forms Connector 0 <= 1.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-forms-conne...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 24, 2026
Vulnerability Reserved
May 21, 2026

Credit

jamaal

CVE-2026-9179 Data

JSON