CVE-2025-6782 Overview
CVE-2025-6782 is an unauthenticated SQL injection vulnerability in the GoZen Forms plugin for WordPress, developed by Optinlyhq. The flaw resides in the dirGZActiveForm() function, which fails to properly escape and prepare the forms-id parameter before incorporating it into a SQL query. All plugin versions up to and including 1.1.5 are affected. Attackers can append additional SQL statements to existing queries and extract sensitive data from the WordPress database without authentication. The weakness is classified under CWE-89: Improper Neutralization of Special Elements used in an SQL Command.
Critical Impact
Unauthenticated attackers can exfiltrate database contents, including user credentials and personally identifiable information stored by WordPress and the GoZen Forms plugin.
Affected Products
- Optinlyhq GoZen Forms plugin for WordPress, versions * through 1.1.5
- WordPress sites with the GoZen Forms plugin installed and activated
- Any database accessible to the WordPress instance running the vulnerable plugin
Discovery Timeline
- 2025-07-04 - CVE-2025-6782 published to the National Vulnerability Database
- 2025-07-09 - Last updated in NVD database
Technical Details for CVE-2025-6782
Vulnerability Analysis
The vulnerability exists in the dirGZActiveForm() function within the GoZen Forms plugin. The function accepts the forms-id parameter from user-supplied input and concatenates it into a SQL query without sufficient escaping or use of prepared statements. Because the endpoint does not require authentication, any remote actor capable of issuing HTTP requests to the WordPress site can trigger the flaw.
The EPSS probability for this CVE is 0.326%, placing it in the 55th percentile of vulnerabilities by predicted exploitation likelihood. While no public proof-of-concept has been published, SQL injection in WordPress plugins is a well-understood attack class and commonly weaponized through automated scanners.
Root Cause
The root cause is twofold. First, the forms-id parameter is not validated or cast to an integer before use. Second, the plugin constructs the SQL query through string concatenation rather than using the $wpdb->prepare() API provided by WordPress. The combination allows attacker-controlled input to alter the query's structure.
Attack Vector
The attack is network-based and requires no privileges or user interaction. An attacker issues an HTTP request to the vulnerable endpoint with a crafted forms-id value containing SQL syntax such as UNION SELECT clauses. The injected payload extends the original query, allowing the attacker to read arbitrary tables, including wp_users and wp_usermeta. The Wordfence threat intelligence team documented the technical details in their vulnerability analysis.
Detection Methods for CVE-2025-6782
Indicators of Compromise
- HTTP requests containing SQL keywords such as UNION, SELECT, SLEEP, or INFORMATION_SCHEMA in the forms-id parameter
- Web server access logs showing unusually long or URL-encoded forms-id values originating from a single IP or scanning infrastructure
- Unexpected database error messages or HTTP 500 responses tied to GoZen Forms endpoints
- New or modified WordPress administrator accounts following suspicious form requests
Detection Strategies
- Inspect web access logs for requests targeting GoZen Forms endpoints with non-numeric forms-id values
- Enable MySQL general query logging temporarily to surface anomalous queries containing UNION or stacked statements originating from the WordPress process
- Deploy a web application firewall rule that blocks SQL metacharacters in the forms-id parameter
- Correlate WAF alerts with WordPress audit logs to identify successful exploitation attempts
Monitoring Recommendations
- Monitor outbound database query volume from the WordPress host for spikes indicative of bulk data extraction
- Alert on read access to sensitive tables such as wp_users, wp_options, and any custom GoZen Forms tables outside normal plugin operation
- Track plugin version inventory across WordPress fleets to identify hosts still running GoZen Forms 1.1.5 or earlier
How to Mitigate CVE-2025-6782
Immediate Actions Required
- Update the GoZen Forms plugin to a version later than 1.1.5 as soon as a patched release is available on the WordPress plugin repository
- Deactivate and remove the GoZen Forms plugin if a patched version is not yet available and the plugin is not business-critical
- Audit the WordPress database for unauthorized administrator accounts and password resets
- Rotate WordPress administrator credentials and any API keys stored in wp_options
Patch Information
At the time of NVD publication, all versions up to and including 1.1.5 are affected. Administrators should monitor the GoZen Forms plugin page and the Wordfence advisory for the patched release version and apply it immediately.
Workarounds
- Restrict access to the vulnerable endpoint at the web server or WAF layer until the plugin is patched
- Add a WAF rule that rejects requests where forms-id is not a positive integer
- Limit the database user privileges used by WordPress to the minimum required, denying access to tables outside the WordPress schema
# Example ModSecurity rule to block non-numeric forms-id values
SecRule ARGS:forms-id "!@rx ^[0-9]+$" \
"id:1006782,phase:2,deny,status:403,\
msg:'CVE-2025-6782: Non-numeric forms-id parameter blocked'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

