Form Maker < 1.15.38 – SQL Injection | CVE 2025-15441

Description

The plugin does not properly prepare SQL queries when the "MySQL Mapping" feature is in use, which could make SQL Injection attacks possible in certain contexts.

Proof of Concept

Testing Environment: The vulnerability was successfully reproduced and verified within a controlled local environment using the WPScan Vulnerability Database Testbench.

Plugin version: 1.15.34

1. Setup (Admin):
- Go to Form Maker > Forms > Form Options > MySQL Mapping.
- Create a query targeting any table (e.g., wp_options).
- Use a payload without quotes: INSERT INTO wp_options (option_name, option_value) VALUES ('sqli_test', {1})
- Note: {1} corresponds to the first input field ID.

2. Exploit (Unauthenticated):
- Navigate to the form page on the front-end.
- In the field corresponding to {1}, enter: 1 AND SLEEP(10)
- Submit the form.

3. Result:
- The server response will be delayed by 10 seconds, confirming the SQL execution.