What the vulnerability does
01Description
Wow Forms WordPress Plugin version 2.1 contains an SQL injection vulnerability that allows unauthenticated attackers to read arbitrary database information by exploiting an unescaped POST parameter. Attackers can inject SQL code through the 'mwpformid' parameter in requests to the admin-ajax.php endpoint with the 'send_mwp_form' action to extract sensitive database contents.
Explanation of Vulnerability in Simple Terms
02Summary
Wow Forms contains a SQL injection vulnerability in versions 2.1 and later. An attacker can inject malicious SQL commands through form input without authentication. This allows reading or modifying database contents, including user credentials and site data. Update to a patched version immediately.
What an attacker can do
03Attacker Capabilities
Read or modify the site database, including user accounts and sensitive data.
Potential impact on your site
04Site Impact
Attackers can steal user credentials, modify site content, or delete data without logging in.
Conditions required to exploit
05Prerequisites
Network access to the form; no authentication or user interaction required.
Key dates
06Disclosure timeline
June 9, 2026
CVE published
June 9, 2026
Record updated