{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2017-20244","assignerOrgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","state":"PUBLISHED","assignerShortName":"VulnCheck","dateReserved":"2026-06-08T11:44:30.995Z","datePublished":"2026-06-09T11:48:34.087Z","dateUpdated":"2026-06-09T13:09:54.048Z"},"containers":{"cna":{"providerMetadata":{"orgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","shortName":"VulnCheck","dateUpdated":"2026-06-09T11:48:34.087Z"},"tags":["unsupported-when-assigned"],"datePublic":"2017-04-25T00:00:00.000Z","title":"Wow Forms WordPress Plugin 2.1 SQL Injection","descriptions":[{"lang":"en","value":"Wow Forms WordPress Plugin version 2.1 contains an SQL injection vulnerability that allows unauthenticated attackers to read arbitrary database information by exploiting an unescaped POST parameter. Attackers can inject SQL code through the 'mwpformid' parameter in requests to the admin-ajax.php endpoint with the 'send_mwp_form' action to extract sensitive database contents."}],"problemTypes":[{"descriptions":[{"lang":"en","description":"Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","cweId":"CWE-89","type":"CWE"}]}],"affected":[{"vendor":"Wow-Company","product":"Wow Forms","versions":[{"version":"2.1","status":"affected"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wow-company:wow_forms:2.1:*:*:*:*:*:*:*"},{"vulnerable":true,"criteria":"cpe:2.3:a:wow-company:wow_forms:-:*:*:*:*:wordpress:*:*"}]}]}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":8.8,"baseSeverity":"HIGH","exploitMaturity":"NOT_DEFINED","privilegesRequired":"NONE","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"LOW","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS"},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":8.2,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N","version":"3.1"},"format":"CVSS"}],"references":[{"url":"https://www.exploit-db.com/exploits/41922","name":"ExploitDB-41922","tags":["exploit"]},{"url":"http://wow-company.com/","name":"Official Product Homepage","tags":["product"]},{"url":"https://tad.group","name":"Official Product Homepage","tags":["product"]},{"url":"https://wordpress.org/plugins/mwp-forms/","name":"Product Reference","tags":["product"]},{"name":"VulnCheck Advisory: Wow Forms WordPress Plugin 2.1 SQL Injection","tags":["third-party-advisory"],"url":"https://www.vulncheck.com/advisories/wow-forms-wordpress-plugin-sql-injection"}],"credits":[{"lang":"en","value":"TAD GROUP","type":"finder"}],"x_generator":{"engine":"vulncheck"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-06-09T13:09:48.391151Z","id":"CVE-2017-20244","options":[{"Exploitation":"poc"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-06-09T13:09:54.048Z"}}]}}