Skip to main content
CVE Vulnerability Database

CVE-2025-6782: GoZen Forms WordPress SQLi Vulnerability

CVE-2025-6782 is a SQL injection flaw in GoZen Forms plugin for WordPress affecting versions up to 1.1.5. Unauthenticated attackers can extract sensitive database information. This article covers technical details, impact, and fixes.

Updated:

CVE-2025-6782 Overview

CVE-2025-6782 is an unauthenticated SQL injection vulnerability in the GoZen Forms plugin for WordPress, developed by Optinlyhq. The flaw resides in the dirGZActiveForm() function, which fails to properly escape and prepare the forms-id parameter before incorporating it into a SQL query. All plugin versions up to and including 1.1.5 are affected. Attackers can append additional SQL statements to existing queries and extract sensitive data from the WordPress database without authentication. The weakness is classified under CWE-89: Improper Neutralization of Special Elements used in an SQL Command.

Critical Impact

Unauthenticated attackers can exfiltrate database contents, including user credentials and personally identifiable information stored by WordPress and the GoZen Forms plugin.

Affected Products

  • Optinlyhq GoZen Forms plugin for WordPress, versions * through 1.1.5
  • WordPress sites with the GoZen Forms plugin installed and activated
  • Any database accessible to the WordPress instance running the vulnerable plugin

Discovery Timeline

  • 2025-07-04 - CVE-2025-6782 published to the National Vulnerability Database
  • 2025-07-09 - Last updated in NVD database

Technical Details for CVE-2025-6782

Vulnerability Analysis

The vulnerability exists in the dirGZActiveForm() function within the GoZen Forms plugin. The function accepts the forms-id parameter from user-supplied input and concatenates it into a SQL query without sufficient escaping or use of prepared statements. Because the endpoint does not require authentication, any remote actor capable of issuing HTTP requests to the WordPress site can trigger the flaw.

The EPSS probability for this CVE is 0.326%, placing it in the 55th percentile of vulnerabilities by predicted exploitation likelihood. While no public proof-of-concept has been published, SQL injection in WordPress plugins is a well-understood attack class and commonly weaponized through automated scanners.

Root Cause

The root cause is twofold. First, the forms-id parameter is not validated or cast to an integer before use. Second, the plugin constructs the SQL query through string concatenation rather than using the $wpdb->prepare() API provided by WordPress. The combination allows attacker-controlled input to alter the query's structure.

Attack Vector

The attack is network-based and requires no privileges or user interaction. An attacker issues an HTTP request to the vulnerable endpoint with a crafted forms-id value containing SQL syntax such as UNION SELECT clauses. The injected payload extends the original query, allowing the attacker to read arbitrary tables, including wp_users and wp_usermeta. The Wordfence threat intelligence team documented the technical details in their vulnerability analysis.

Detection Methods for CVE-2025-6782

Indicators of Compromise

  • HTTP requests containing SQL keywords such as UNION, SELECT, SLEEP, or INFORMATION_SCHEMA in the forms-id parameter
  • Web server access logs showing unusually long or URL-encoded forms-id values originating from a single IP or scanning infrastructure
  • Unexpected database error messages or HTTP 500 responses tied to GoZen Forms endpoints
  • New or modified WordPress administrator accounts following suspicious form requests

Detection Strategies

  • Inspect web access logs for requests targeting GoZen Forms endpoints with non-numeric forms-id values
  • Enable MySQL general query logging temporarily to surface anomalous queries containing UNION or stacked statements originating from the WordPress process
  • Deploy a web application firewall rule that blocks SQL metacharacters in the forms-id parameter
  • Correlate WAF alerts with WordPress audit logs to identify successful exploitation attempts

Monitoring Recommendations

  • Monitor outbound database query volume from the WordPress host for spikes indicative of bulk data extraction
  • Alert on read access to sensitive tables such as wp_users, wp_options, and any custom GoZen Forms tables outside normal plugin operation
  • Track plugin version inventory across WordPress fleets to identify hosts still running GoZen Forms 1.1.5 or earlier

How to Mitigate CVE-2025-6782

Immediate Actions Required

  • Update the GoZen Forms plugin to a version later than 1.1.5 as soon as a patched release is available on the WordPress plugin repository
  • Deactivate and remove the GoZen Forms plugin if a patched version is not yet available and the plugin is not business-critical
  • Audit the WordPress database for unauthorized administrator accounts and password resets
  • Rotate WordPress administrator credentials and any API keys stored in wp_options

Patch Information

At the time of NVD publication, all versions up to and including 1.1.5 are affected. Administrators should monitor the GoZen Forms plugin page and the Wordfence advisory for the patched release version and apply it immediately.

Workarounds

  • Restrict access to the vulnerable endpoint at the web server or WAF layer until the plugin is patched
  • Add a WAF rule that rejects requests where forms-id is not a positive integer
  • Limit the database user privileges used by WordPress to the minimum required, denying access to tables outside the WordPress schema
bash
# Example ModSecurity rule to block non-numeric forms-id values
SecRule ARGS:forms-id "!@rx ^[0-9]+$" \
  "id:1006782,phase:2,deny,status:403,\
   msg:'CVE-2025-6782: Non-numeric forms-id parameter blocked'"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.