CVE-2026-9179
Received Received - Intake
SQL Injection in WP Forms Connector WordPress Plugin

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: Wordfence

Description
The WP Forms Connector plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the /wp-json/wp/v3/post/list REST endpoint in versions up to and including 1.8. This is due to insufficient escaping on the user-supplied 'order' parameter (read directly from $_GET['order'] into $shorting) and the lack of sufficient preparation on the existing SQL query in the listPost() function, where the value is concatenated unquoted into the ORDER BY clause and executed via $wpdb->get_results() without $wpdb->prepare(). The endpoint is registered with permission_callback '__return_true' and performs only a broken header-based check that validates the supplied 'Username' corresponds to an administrator account while never verifying the 'Password'. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-9179
EUVD
EUVD-2026-38661
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wp_forms_connector wp_forms_connector to 1.8 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The WP Forms Connector plugin for WordPress has a vulnerability in its /wp-json/wp/v3/post/list REST endpoint, specifically in the 'order' parameter. This parameter is taken directly from user input without proper escaping or preparation before being used in an SQL query's ORDER BY clause. Because the query is constructed by concatenating this input unquoted and executed without using safe preparation methods, it allows an attacker to inject malicious SQL code.

Additionally, the endpoint's permission check is flawed: it only verifies that the supplied 'Username' corresponds to an administrator account but does not verify the 'Password'. This broken authentication allows unauthenticated attackers to exploit the SQL injection vulnerability.

Impact Analysis

This vulnerability can allow unauthenticated attackers to execute arbitrary SQL queries on the WordPress database. Specifically, attackers can append additional SQL commands to extract sensitive information from the database.

Because the vulnerability affects confidentiality (as indicated by the CVSS score with high impact on confidentiality), sensitive data stored in the database could be exposed without authorization.

Detection Guidance

This vulnerability can be detected by monitoring requests to the /wp-json/wp/v3/post/list REST endpoint, specifically looking for unusual or suspicious usage of the 'order' parameter.

Since the vulnerability involves SQL Injection via the 'order' parameter, you can detect attempts by inspecting web server logs or using network monitoring tools to identify requests with SQL keywords or payloads in the 'order' parameter.

  • Use tools like grep to search web server access logs for suspicious 'order' parameter usage, e.g.: grep -i 'order=' /var/log/apache2/access.log
  • Use curl or similar tools to test the endpoint manually, for example: curl -G 'http://yourwordpresssite.com/wp-json/wp/v3/post/list' --data-urlencode "order=1; DROP TABLE users;--"
  • Deploy a web application firewall (WAF) or intrusion detection system (IDS) with SQL Injection detection rules to alert on malicious payloads targeting the 'order' parameter.
Mitigation Strategies

Immediate mitigation steps include updating the WP Forms Connector plugin to a version later than 1.8 where this vulnerability is fixed.

If an update is not immediately available, restrict access to the vulnerable REST endpoint by disabling or limiting access to /wp-json/wp/v3/post/list, for example by using firewall rules or .htaccess restrictions.

Implement a web application firewall (WAF) to block SQL Injection attempts targeting the 'order' parameter.

Monitor logs for suspicious activity and consider temporarily disabling the WP Forms Connector plugin if the risk is high and no patch is available.

Compliance Impact

The vulnerability allows unauthenticated attackers to perform SQL Injection attacks that can extract sensitive information from the database.

Such unauthorized access to sensitive data can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls to protect personal and health information.

Therefore, exploitation of this vulnerability could result in non-compliance with these standards due to potential data breaches and exposure of protected information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9179. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart