Platform
wordpress
Component
pixel-formbuilder
Fixed in
1.0.3
CVE-2025-31914 describes a critical SQL Injection vulnerability discovered in the Pixel WordPress Form BuilderPlugin & Autoresponder. This flaw allows attackers to perform blind SQL injection, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions from 0 up to and including 1.0.2. A patch is available in version 1.0.3.
The SQL Injection vulnerability in Pixel WordPress Form BuilderPlugin & Autoresponder allows an attacker to bypass security measures and directly interact with the underlying database. Because it is a blind SQL injection, the attacker must infer the data by observing the application's response to various SQL queries. This can be a time-consuming process, but successful exploitation could lead to the extraction of sensitive user data, including usernames, passwords, email addresses, and form submissions. Depending on the database schema, an attacker might also be able to modify or delete data, potentially disrupting the website's functionality or causing data loss. The impact is particularly severe for websites that handle sensitive user information.
CVE-2025-31914 was publicly disclosed on 2025-05-23. The vulnerability's severity is high due to the potential for data exfiltration and modification. No public proof-of-concept (POC) code has been identified at the time of writing, but the nature of blind SQL injection means that exploitation is feasible with sufficient effort. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.23% (46% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-31914 is to immediately upgrade the Pixel WordPress Form BuilderPlugin & Autoresponder to version 1.0.3 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious SQL injection attempts targeting the vulnerable endpoints. Specifically, look for patterns associated with SQL injection payloads in user input. Monitor database logs for unusual activity or error messages that might indicate an ongoing attack. Regularly review and sanitize all user inputs to prevent future injection vulnerabilities.
Update to version 1.0.3, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-31914 is a critical SQL Injection vulnerability affecting the Pixel WordPress Form BuilderPlugin & Autoresponder, allowing attackers to potentially extract data from the database.
You are affected if you are using Pixel WordPress Form BuilderPlugin & Autoresponder versions 0 through 1.0.2. Upgrade to 1.0.3 or later to resolve the vulnerability.
Upgrade the Pixel WordPress Form BuilderPlugin & Autoresponder to version 1.0.3 or later. Consider implementing a WAF rule to filter malicious SQL injection attempts as an interim measure.
While no active exploitation has been publicly confirmed, the vulnerability's nature makes it a potential target, and proactive mitigation is recommended.
Refer to the Pixel WordPress Form BuilderPlugin & Autoresponder website or WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.