CVE-2017-20244
Deferred Deferred - Pending Action
SQL Injection in Wow Forms WordPress Plugin

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: VulnCheck

Description
Wow Forms WordPress Plugin version 2.1 contains an SQL injection vulnerability that allows unauthenticated attackers to read arbitrary database information by exploiting an unescaped POST parameter. Attackers can inject SQL code through the 'mwpformid' parameter in requests to the admin-ajax.php endpoint with the 'send_mwp_form' action to extract sensitive database contents.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-09
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2017-20244
EUVD
EUVD-2017-18970
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wow-company wow_forms to 2.1 (inc)
wow_forms wordpress_plugin 2.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The SQL injection vulnerability in Wow Forms WordPress Plugin version 2.1 allows unauthenticated attackers to read arbitrary sensitive database information. This exposure of sensitive data could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require the protection of personal and sensitive information from unauthorized access.

By enabling attackers to extract sensitive database contents, the vulnerability increases the risk of data breaches, which can result in regulatory penalties, legal consequences, and damage to organizational reputation under these standards.

Executive Summary

The Wow Forms WordPress Plugin version 2.1 contains an SQL injection vulnerability. This flaw allows unauthenticated attackers to inject SQL code through an unescaped POST parameter named 'mwpformid' in requests to the admin-ajax.php endpoint with the 'send_mwp_form' action.

By exploiting this vulnerability, attackers can read arbitrary and sensitive information from the website's database.

The vulnerability arises because the plugin does not properly neutralize special elements in the SQL command, enabling attackers to manipulate database queries.

Impact Analysis

This vulnerability can have critical impacts on affected websites using the Wow Forms plugin version 2.1 or below.

  • Attackers can read arbitrary and sensitive database information, potentially exposing user data and confidential site information.
  • If the web server is misconfigured, attackers might also gain read and write access to the filesystem, increasing the risk of further compromise.
  • The vulnerability can be exploited without authentication, making it easier for attackers to launch attacks remotely.

Overall, this can lead to data breaches, loss of data integrity, and potential damage to the website's reputation and trustworthiness.

Detection Guidance

The vulnerability can be detected by monitoring for suspicious POST requests to the admin-ajax.php endpoint with the 'send_mwp_form' action that include the 'mwpformid' parameter. These requests may contain SQL injection payloads attempting to extract database information.

Tools like sqlmap can be used to test for this SQL injection vulnerability by targeting the 'mwpformid' POST parameter. Sqlmap supports boolean-based blind, time-based blind, and UNION query attacks to confirm the presence of the vulnerability.

  • Example sqlmap command to test the vulnerability: sqlmap -u "http://targetsite.com/wp-admin/admin-ajax.php" --data="action=send_mwp_form&mwpformid=1" --risk=3 --level=5
  • Monitor web server logs for unusual POST requests to admin-ajax.php with the 'send_mwp_form' action and suspicious 'mwpformid' values.
Mitigation Strategies

Immediate mitigation steps include disabling or removing the Wow Forms WordPress plugin version 2.1 or below from your WordPress installation to prevent exploitation.

If removal is not immediately possible, restrict access to the admin-ajax.php endpoint or implement web application firewall (WAF) rules to block requests containing suspicious 'mwpformid' parameters or the 'send_mwp_form' action.

Monitor your system for any signs of exploitation and ensure your WordPress installation and plugins are kept up to date with security patches once available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2017-20244. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart