CVE-2017-20244: SQL Injection in Wow Forms WordPress Plugin v2.1 – Critical Unauth Database Extraction
The Wow Forms WordPress plugin version 2.1 has a critical flaw that lets attackers steal sensitive information directly from a website's database without needing to log in. By sending specially crafted requests to the plugin's form-handling endpoint, an attacker can inject malicious SQL commands through the form ID parameter, bypassing the plugin's security controls and reading any database content they want—including user credentials, email addresses, and other confidential data.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
- Weaknesses (CWE)
- CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Wow Forms WordPress Plugin version 2.1 contains an SQL injection vulnerability that allows unauthenticated attackers to read arbitrary database information by exploiting an unescaped POST parameter. Attackers can inject SQL code through the 'mwpformid' parameter in requests to the admin-ajax.php endpoint with the 'send_mwp_form' action to extract sensitive database contents.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2017-20244 is an unauthenticated SQL injection vulnerability in Wow Forms WordPress plugin v2.1. The vulnerability exists in the admin-ajax.php endpoint's 'send_mwp_form' action handler, which fails to properly sanitize the 'mwpformid' POST parameter before using it in a database query. This allows an attacker to inject arbitrary SQL syntax and extract database records. The vulnerability carries a CVSS v3.1 score of 8.2 (HIGH), reflecting high confidentiality impact, limited integrity impact, and no availability impact. The attack requires no authentication, no user interaction, and can be executed over the network with low complexity.
Business impact
This vulnerability poses a significant risk to any WordPress site running the vulnerable Wow Forms plugin. Attackers can extract user databases, payment information, personal data, and authentication tokens without detection, leading to identity theft, account takeover, and regulatory compliance violations (GDPR, CCPA, etc.). Organizations relying on this plugin for lead generation or customer forms face potential data breach notification costs, reputation damage, and legal liability. The lack of authentication requirement means attackers can exploit the flaw from anywhere on the internet.
Affected systems
Wow Forms WordPress plugin version 2.1 is explicitly vulnerable. The vulnerability affects all WordPress installations where this specific version is active and publicly accessible. Sites using other versions of Wow Forms or sites that have already removed the plugin are not affected. No vulnerability data for other versions has been disclosed.
Exploitability
This vulnerability is highly exploitable. It requires no authentication, no user interaction, and can be triggered via a simple HTTP POST request to a publicly accessible endpoint. An attacker needs only basic knowledge of SQL syntax and the plugin's action name to craft a working exploit. The network-accessible nature and low complexity of exploitation make this a critical priority for immediate remediation.
Remediation
Organizations using Wow Forms WordPress plugin v2.1 should immediately deactivate and remove the plugin until a patched version is available from the vendor. As an interim measure, restrict access to admin-ajax.php using web application firewall rules or .htaccess directives to block requests containing the 'send_mwp_form' action. After removal or patching, conduct a database audit and security log review to detect any unauthorized access, then reset user passwords and review user accounts for suspicious activity.
Patch guidance
Check the official Wow Forms plugin repository and vendor advisories for a patched release. Verify the fix includes proper parameterized queries or input validation for the 'mwpformid' parameter. Before applying patches in production, test in a staging environment to ensure compatibility with your WordPress version and other active plugins. Document the patch version number and deployment date for compliance records.
Detection guidance
Search WordPress logs and web server access logs for POST requests to admin-ajax.php containing the 'send_mwp_form' action, especially those with suspicious SQL characters (single quotes, dashes, 'UNION', 'SELECT', etc.) in the request parameters. Monitor database query logs for unexpected SELECT statements or table enumeration queries executed by the web server process. Implement intrusion detection signatures for SQL injection patterns targeting this endpoint. Review any recent user account creations or privilege escalations that coincide with suspicious log entries.
Why prioritize this
This vulnerability merits immediate attention due to its HIGH CVSS score (8.2), unauthenticated exploitation capability, and direct access to sensitive database content. The lack of user interaction required and network accessibility make it trivial to exploit at scale. Organizations should treat this as a critical security incident if the vulnerable plugin is active, regardless of their current security posture.
Risk score, explained
The CVSS v3.1 score of 8.2 reflects a combination of high-impact factors: unrestricted network access (AV:N), low attack complexity (AC:L), no authentication needed (PR:N), and no user interaction required (UI:N). The high confidentiality impact (C:H) reflects the ability to read arbitrary database content. The limited integrity impact (I:L) suggests the vulnerability may allow minor data modification in some query scenarios, while availability is not affected (A:N). This score appropriately elevates the urgency beyond a typical information disclosure flaw.
Frequently asked questions
How do I know if my WordPress site is affected?
Log into your WordPress admin dashboard, navigate to Plugins, and search for 'Wow Forms' in your active plugin list. If version 2.1 is installed and active, your site is vulnerable. You can also check your site's /wp-content/plugins/ directory for a folder named 'wow-forms' or similar and inspect its readme.txt file for the version number.
Can I safely keep the plugin disabled instead of uninstalling it?
Yes, a disabled plugin cannot be exploited. However, uninstallation is safer because it removes the vulnerable code entirely from your server, reducing the risk of accidental re-activation or misconfiguration. At minimum, ensure the plugin remains disabled until a secure version is available.
What should I do if I discover unauthorized database access in my logs?
Immediately take the site offline or restrict public access, change all WordPress user passwords, review user roles and permissions for unauthorized accounts, check for backdoors or malicious files, scan the server with a reputable security tool, and contact your hosting provider and legal team to assess breach scope and notification obligations.
Are there alternative plugins I should use instead?
Evaluate other form-building plugins like WPForms, Gravity Forms, Formidable Forms, or Elementor Forms based on your feature requirements and security track record. Always verify that any replacement plugin is actively maintained and has a documented security policy before deploying it to production.
This analysis is provided for informational and defensive purposes only. The information herein is based on public vulnerability data as of the publication date. Vendor patch status, affected product versions, and remediation timelines may change. Organizations should verify all technical details against official vendor advisories and conduct independent security testing before implementing recommendations. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and assumes no liability for misuse or damage arising from reliance on this information. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2016-20062HIGHSQL Injection in Simply Poll 1.4.1 WordPress Plugin - Unauthenticated Data Theft
- CVE-2016-20063HIGHSQL Injection in Single Personal Message 1.0.3 – Credential & Data Theft Risk
- CVE-2016-20065HIGHUnauthenticated SQL Injection in Product Catalog 8 WordPress Plugin
- CVE-2017-20243HIGHWordPress Car Park Booking Plugin SQL Injection Vulnerability
- CVE-2017-20245HIGHWow Viral Signups Plugin SQL Injection Vulnerability – Analysis & Patches
- CVE-2017-20246HIGHKittyCatfish 2.2 SQL Injection Vulnerability – WordPress Plugin Security Alert
- CVE-2017-20247HIGHSQL Injection in PICA Photo Gallery 1.0
- CVE-2017-20249HIGHApptha Slider Gallery SQL Injection Vulnerability