CVE-2017-20244 Overview
CVE-2017-20244 is an SQL injection vulnerability [CWE-89] in the Wow Forms WordPress plugin version 2.1, also distributed as MWP Forms. The flaw resides in the mwpformid POST parameter handled by the admin-ajax.php endpoint when invoking the send_mwp_form action. The parameter is passed unescaped into a backend SQL query, allowing unauthenticated attackers to inject arbitrary SQL statements.
Successful exploitation lets remote attackers read arbitrary database contents, including WordPress user records, password hashes, and session tokens. No authentication or user interaction is required.
Critical Impact
Unauthenticated remote attackers can extract sensitive database contents from any WordPress site running Wow Forms 2.1 by sending a single crafted POST request to admin-ajax.php.
Affected Products
- Wow Forms WordPress Plugin version 2.1
- MWP Forms WordPress Plugin (alternate distribution name)
- WordPress sites with the vulnerable plugin installed and activated
Discovery Timeline
- 2026-06-09 - CVE-2017-20244 published to NVD
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2017-20244
Vulnerability Analysis
The vulnerability is a classic SQL injection [CWE-89] in the WordPress AJAX handler exposed by the Wow Forms plugin. When the plugin receives a POST request to wp-admin/admin-ajax.php with the action=send_mwp_form parameter, it reads the mwpformid value from the request body and concatenates it into a SQL query without escaping, parameterization, or type casting.
Because the AJAX action is registered for both authenticated and unauthenticated users, no credentials or nonce token are required to reach the vulnerable code path. The injection point sits inside a SELECT statement, enabling UNION-based extraction of arbitrary tables in the WordPress database.
Referenced public exploitation material is available via Exploit-DB #41922 and the VulnCheck Advisory for SQL Injection.
Root Cause
The root cause is missing input validation and missing use of prepared statements when handling user-supplied form identifiers. The plugin trusts the mwpformid POST parameter and interpolates it directly into a SQL query string. WordPress provides $wpdb->prepare() to defend against this class of issue, but the plugin does not use it on this code path.
Attack Vector
An attacker sends an HTTP POST request to /wp-admin/admin-ajax.php with action=send_mwp_form and a malicious payload in the mwpformid parameter. A typical payload uses a UNION SELECT construct to append attacker-controlled columns to the original query result, returning data such as user_login and user_pass from the wp_users table. No authentication, session, or interaction with site administrators is required.
// No verified exploit code is reproduced here. See Exploit-DB #41922
// for the published proof of concept covering the mwpformid parameter
// in the send_mwp_form AJAX action.
Detection Methods for CVE-2017-20244
Indicators of Compromise
- POST requests to /wp-admin/admin-ajax.php containing action=send_mwp_form combined with SQL keywords such as UNION, SELECT, SLEEP, or INFORMATION_SCHEMA in the mwpformid parameter.
- Repeated admin-ajax.php requests from a single source IP enumerating values of mwpformid.
- WordPress database query errors in PHP error logs referencing the Wow Forms or MWP Forms plugin tables.
- Outbound DNS or HTTP callbacks originating from the WordPress host shortly after suspicious form submissions.
Detection Strategies
- Inspect web server access logs for POST requests to admin-ajax.php where the body contains both send_mwp_form and SQL metacharacters.
- Deploy WAF or ModSecurity rules that flag SQL injection patterns inside the mwpformid parameter.
- Correlate spikes in admin-ajax.php traffic with database error events to identify in-progress exploitation attempts.
Monitoring Recommendations
- Forward WordPress, PHP, and web server logs to a central log platform and alert on SQL injection signatures targeting admin-ajax.php.
- Monitor the wp_users table for unexpected reads or downstream credential reuse, such as admin logins from new geolocations.
- Track installed WordPress plugin inventory and alert when Wow Forms or MWP Forms 2.1 is detected on managed sites.
How to Mitigate CVE-2017-20244
Immediate Actions Required
- Deactivate and remove the Wow Forms / MWP Forms plugin version 2.1 from all WordPress installations until a fixed release is confirmed.
- Rotate WordPress administrator passwords and invalidate active sessions on any site where the plugin was installed.
- Review WordPress and database logs for evidence of exploitation, focusing on POST requests to admin-ajax.php with the send_mwp_form action.
- Block exploitation attempts at the WAF by filtering SQL metacharacters in the mwpformid parameter.
Patch Information
No vendor patch advisory is referenced in the available CVE data. Administrators should consult the WordPress Plugin MWP Forms page and the VulnCheck Advisory for SQL Injection for the latest remediation status, and uninstall the plugin if a fixed version is not available.
Workarounds
- Uninstall the plugin entirely if business requirements allow, and migrate to an actively maintained WordPress form plugin.
- Restrict access to /wp-admin/admin-ajax.php from untrusted networks where feasible, or require authentication at the reverse proxy layer.
- Add WAF rules that reject POST bodies to admin-ajax.php containing action=send_mwp_form together with SQL keywords such as UNION, SELECT, --, or INFORMATION_SCHEMA.
# Example ModSecurity rule to block SQLi in the mwpformid parameter
SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" \
"chain,phase:2,deny,status:403,id:1720244,\
msg:'CVE-2017-20244 Wow Forms SQLi attempt'"
SecRule ARGS:action "@streq send_mwp_form" "chain"
SecRule ARGS:mwpformid "@rx (?i)(union(\s|/\*).*select|information_schema|sleep\s*\(|--\s|;\s*drop)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
