CVE-2018-25346

HIGH

WordPress Form Maker Plugin 1.12.24 SQL Injection via admin-ajax.php

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-25346. PoCs published by defensecode.

AI-analyzed exploit summary The exploit demonstrates SQL injection vulnerabilities in the WordPress Form Maker plugin (version 1.12.24 and below) via two distinct attack vectors. Both PoCs leverage time-based SQL injection techniques (SLEEP) to confirm vulnerability, with one targeting the 'FormMakerSQLMapping' action and the other the 'generete_csv' action.

Description

WordPress Form Maker Plugin 1.12.24 and below contains SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries by injecting SQL code through the FormMakerSQLMapping and generete_csv actions. Attackers can submit POST requests with malicious SQL payloads in the name and search_labels parameters to extract, modify, or escalate privileges within the WordPress database.

Exploits (1)

exploitdb WORKING POC

by defensecode · textwebappsphp

https://www.exploit-db.com/exploits/44853

View Code ZIP pw:eip

The exploit demonstrates SQL injection vulnerabilities in the WordPress Form Maker plugin (version 1.12.24 and below) via two distinct attack vectors. Both PoCs leverage time-based SQL injection techniques (SLEEP) to confirm vulnerability, with one targeting the 'FormMakerSQLMapping' action and the other the 'generete_csv' action.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: WordPress Form Maker plugin <= 1.12.24

Auth required

Prerequisites: WordPress admin or privileged user access · Form Maker plugin installed and activated

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed May 24, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit exploit

ExploitDB-44853

https://www.exploit-db.com/exploits/44853

Third Party Advisory third-party-advisory

VulnCheck Advisory: WordPress Form Maker Plugin 1.12.24 SQL Injection via admin-ajax.php

https://www.vulncheck.com/advisories/wordpress-form-maker-plugin-sql-injection-via-admin-ajax-php

Scores

CVSS v3 7.1

EPSS 0.0025

EPSS Percentile 16.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (1)

10Web/Form Maker < 1.12.24

Published May 23, 2026

Tracked Since May 24, 2026