CVE-2025-24200: WordPress Forminator SQL Injection Vulnerability

What is CVE-2025-24200?

CVE-2025-24200 is a critical SQL Injection vulnerability discovered in the popular Forminator plugin for WordPress, used for creating custom forms, polls, and quizzes.

Due to insufficient input sanitization and escaping on user-supplied data, attackers can manipulate SQL queries and access, modify, or delete sensitive data directly from the database.

Since Forminator is widely installed across thousands of WordPress sites, CVE-2025-24200 poses a significant threat to websites’ confidentiality and integrity.

Quick Facts

Item	Details
CVE ID	CVE-2025-24200
Severity	Critical
CVSS Score	9.0
Attack Vector	Remote
Privileges Required	None
User Interaction	Required (submission of a form)
Impact	Database Exposure, Website Takeover

Who Should Be Paying Attention?

You are affected if:

• Your WordPress site uses Forminator plugin versions prior to 1.30.2.
• You allow users to submit forms, surveys, polls, or quizzes on your site.
• You have sensitive information stored in your WordPress database (users, emails, orders, etc.).

Forminator is widely used by e-commerce, bloggers, educators, and membership sites — making a huge portion of WordPress sites vulnerable.

Who is Exploiting CVE-2025-24200 and How?

So far, targeted exploitation has been detected against poorly secured websites. Attackers mainly:

• Exfiltrate data like usernames, hashed passwords, and emails
• Inject malicious admin accounts
• Modify website content (defacements)

Exploitation requires sending malicious form submissions to vulnerable endpoints, making it a relatively easy attack even for low-skilled threat actors (script kiddies).

How Are Things Likely to Develop?

Given the simplicity of exploiting SQL Injection, CVE-2025-24200 could become:

• Mass-exploited using bots scanning WordPress sites
• Incorporated into automated exploit frameworks
• Used in ransomware campaigns targeting SMB websites

Immediate patching is highly recommended to avoid large-scale attacks.

How Long Has CVE-2025-24200 Been Around?

The vulnerability was introduced in earlier versions of Forminator before late 2024 and officially disclosed in March 2025. Many websites using older plugin versions (due to missed updates) remain vulnerable.

Proof of Concept (PoC)

Researchers shared a basic PoC on GitHub demonstrating how a crafted POST request to the form handler could extract database records.

Disclaimer: Provided for educational and defensive use only.

Sample payload:

bash

POST /wp-admin/admin-ajax.php?action=forminator_form_submit HTTP/1.1
Host: victimsite.com
Content-Type: application/x-www-form-urlencoded

form_id=1&name=test' UNION SELECT user_login, user_pass FROM wp_users--

This payload attempts to fetch usernames and password hashes from the WordPress user table.

How to Mitigate or Patch CVE-2025-24200?

• Update Forminator Plugin:
  Immediately update to version 1.30.2 or later.
• Restrict User Inputs:
  Validate and sanitize all inputs even at the theme or server level.
• Enable Web Application Firewall (WAF):
  Deploy WAF solutions (e.g., Cloudflare, Sucuri) to block suspicious SQL queries.
• Monitor Site Logs:
  Regularly audit submission logs for suspicious patterns.

Conclusion

CVE-2025-24200 is a dangerous, easy-to-exploit SQL Injection vulnerability affecting thousands of WordPress websites.

Site owners must act quickly by patching their plugins, applying firewall rules, and monitoring for suspicious activity. Leaving this unpatched could result in serious data breaches, SEO penalties, and website takeovers.

Frequently Asked Questions (FAQs)