WordPress Plugin Vulnerabilities

Contact Form Generator < 2.9.0 - Contributor+ SQLi

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by Contributor roles and above

Affects Plugins

Plugin icon
contact-form-generator
Fixed in 2.9.0

References

CVE
CVE-2023-35911
URL
https://patchstack.com/database/vulnerability/contact-form-generator/wordpress-contact-form-generator-plugin-2-6-0-sql-injection-vulnerability

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Emili Castells
Verified
No
WPVDB ID
9e14e794-c144-43b1-ba7a-39d389348aaa

Timeline

Publicly Published
2023-10-09 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2025-06-26 (about 10 months ago)

Other

Published
Title
Published
2020-04-01
Title
LearnDash < 3.1.6 - Unauthenticated SQL Injection
Published
2014-08-01
Title
A Forms 1.4.0 - a-forms.php a_form_tracking_page FunctionMultiple Parameters SQL Injection
Published
2025-12-01
Title
WP Directory Kit < 1.4.7 - Authenticated (Admin+) SQL Injection
Published
2026-03-20
Title
JS Help Desk – AI-Powered Support & Ticketing System < 3.0.4 - Authenticated (Subscriber+) SQL Injection
Published
2021-09-02
Title
Meow Gallery < 4.1.9 - Contributor+ SQL Injection