Platform
wordpress
Component
easy-form-builder
Fixed in
3.8.16
CVE-2025-54678 describes a critical SQL Injection vulnerability discovered in the Easy Form Builder plugin for WordPress. This flaw allows attackers to perform blind SQL injection, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions from 0.0.0 through 3.8.15, and a patch is available in version 3.8.16.
The SQL Injection vulnerability in Easy Form Builder allows an attacker to bypass security controls and directly interact with the underlying database. Due to the 'blind' nature of the injection, attackers must infer information through trial and error, making exploitation potentially time-consuming but still highly impactful. Successful exploitation could lead to the extraction of sensitive user data, including usernames, passwords, email addresses, and potentially even financial information if the plugin is used to collect such data. Lateral movement within the WordPress environment is possible if the attacker can leverage the injected SQL queries to gain access to other administrative functions or data stores. The blast radius extends to all users of the affected plugin, particularly those handling sensitive data.
CVE-2025-54678 was publicly disclosed on 2025-08-14. The vulnerability is not currently listed on the CISA KEV catalog, and its EPSS score is pending evaluation. No public proof-of-concept exploits have been identified as of this writing, but the severity of the vulnerability and the ease of exploitation (blind SQL injection) suggest a potential for active exploitation in the future. Monitor security advisories and threat intelligence feeds for updates.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-54678 is to immediately upgrade Easy Form Builder to version 3.8.16 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. Web Application Firewalls (WAFs) configured with rules to detect and block SQL injection attempts targeting the Easy Form Builder plugin can provide an additional layer of defense. Carefully review and sanitize all user inputs to prevent malicious SQL code from being injected. Monitor WordPress logs for suspicious database queries that might indicate an ongoing attack. After upgrading, confirm the fix by attempting a SQL injection payload through the form and verifying that it is properly sanitized and does not return any database information.
Update the Easy Form Builder plugin to a patched version. Check the plugin website or the WordPress repository for the latest available version. Perform a full website backup before performing any updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-54678 is a critical SQL Injection vulnerability affecting Easy Form Builder versions 0.0.0–3.8.15, allowing attackers to extract data via blind SQL injection.
If you are using Easy Form Builder version 0.0.0 through 3.8.15 on your WordPress site, you are potentially affected by this vulnerability.
Upgrade Easy Form Builder to version 3.8.16 or later to remediate the SQL Injection vulnerability. Consider WAF rules as a temporary measure if immediate upgrade is not possible.
While no public exploits have been confirmed, the severity of the vulnerability suggests a potential for active exploitation. Continuous monitoring is recommended.
Refer to the Easy Form Builder official website and WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.