CVE-2018-25347

HIGH

WordPress Contact Form Maker Plugin 1.12.20 SQL Injection

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-25347. PoCs published by defensecode.

AI-analyzed exploit summary The exploit demonstrates SQL injection vulnerabilities in the WordPress Contact Form Maker plugin (version 1.12.20 and below) via two distinct PoC snippets. Both leverage time-based SQLi techniques (SLEEP) to confirm vulnerability, with one targeting the 'FormMakerSQLMapping_fmc' action and the other the 'generete_csv_fmc' action.

Description

WordPress Contact Form Maker Plugin 1.12.20 contains SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries through the FormMakerSQLMapping and generete_csv_fmc AJAX actions. Attackers can inject malicious SQL code via the 'name' and 'search_labels' parameters to extract sensitive database information or escalate privileges.

Exploits (1)

exploitdb WORKING POC

by defensecode · textwebappsphp

https://www.exploit-db.com/exploits/44854

View Code ZIP pw:eip

The exploit demonstrates SQL injection vulnerabilities in the WordPress Contact Form Maker plugin (version 1.12.20 and below) via two distinct PoC snippets. Both leverage time-based SQLi techniques (SLEEP) to confirm vulnerability, with one targeting the 'FormMakerSQLMapping_fmc' action and the other the 'generete_csv_fmc' action.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: WordPress Contact Form Maker plugin <= 1.12.20

Auth required

Prerequisites: WordPress admin or privileged user access · Contact Form Maker plugin installed and activated

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed May 24, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit exploit

ExploitDB-44854

https://www.exploit-db.com/exploits/44854

Product product

Product Reference

https://wordpress.org/plugins/contact-form-maker/

Third Party Advisory third-party-advisory

VulnCheck Advisory: WordPress Contact Form Maker Plugin 1.12.20 SQL Injection

https://www.vulncheck.com/advisories/wordpress-contact-form-maker-plugin-sql-injection

Scores

CVSS v3 7.1

EPSS 0.0027

EPSS Percentile 19.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (1)

web-dorado/Contact Form Maker < 1.12.20

Published May 23, 2026

Tracked Since May 24, 2026