Login Sign Up

CVE-2023-31212

9.8 CRITICAL
SQL Injection

📋 TL;DR

This SQL injection vulnerability in WordPress Contact Form Entries plugin allows authenticated attackers to execute arbitrary SQL commands on the database. It affects all versions up to 1.3.0 of the plugin when used with Contact Form 7, WPForms, or Elementor forms. Attackers could steal sensitive data, modify database contents, or potentially gain administrative access.

💻 Affected Systems

Products:
  • WordPress Contact Form Entries plugin
Versions: All versions up to and including 1.3.0
Operating Systems: All operating systems running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires plugin to be installed and active with Contact Form 7, WPForms, or Elementor forms integration enabled.

📦 What is this software?

Database For Contact Form 7\, Wpforms\, Elementor Forms by Crmperks

View all CVEs affecting Database For Contact Form 7\, Wpforms\, Elementor Forms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, privilege escalation to WordPress admin, and potential server takeover if database user has elevated privileges.

🟠

Likely Case

Unauthorized access to form submission data, exposure of personally identifiable information (PII), and potential modification of WordPress settings or user accounts.

🟢

If Mitigated

Limited to authenticated user data exposure if proper database user permissions are configured and other security controls are in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated WordPress user access. SQL injection payloads are publicly documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.1 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/contact-form-entries/wordpress-contact-form-entries-plugin-1-3-0-auth-sql-injection-sqli-vulnerability

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Contact Form Entries' plugin. 4. Click 'Update Now' if available. 5. If no update appears, manually download version 1.3.1+ from WordPress.org and replace plugin files.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily deactivate the Contact Form Entries plugin until patched

wp plugin deactivate contact-form-entries

Restrict user access

all

Limit WordPress user accounts to only trusted administrators

🧯 If You Can't Patch

  • Implement web application firewall (WAF) with SQL injection rules
  • Restrict database user permissions to minimum required privileges

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for Contact Form Entries version

Check Version:

wp plugin get contact-form-entries --field=version

Verify Fix Applied:

Verify plugin version is 1.3.1 or higher in WordPress admin

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts followed by plugin-specific requests
  • Requests containing SQL keywords (SELECT, UNION, etc.) to plugin endpoints

Network Indicators:

  • POST requests to /wp-admin/admin-ajax.php with SQL payloads
  • Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND (url_path="/wp-admin/admin-ajax.php" OR url_path="/wp-content/plugins/contact-form-entries/") AND (query_string CONTAINS "SELECT" OR query_string CONTAINS "UNION" OR query_string CONTAINS "OR 1=1")

📊 Metadata

CVE ID: CVE-2023-31212
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: October 31, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-31212, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)