The kamleshyadav Pixel WordPress Form BuilderPlugin & Autoresponder versions up to 1.0.2 contain an SQL Injection vulnerability caused by improper neutralization of special elements in SQL commands. This flaw enables Blind SQL Injection attacks, allowing remote attackers to potentially extract sensitive data from the database without authentication. The vulnerability is remotely exploitable over the network with low complexity and does not require user interaction or privileges. The CVSS 3.1 base score is 9.3, reflecting critical severity with a confidentiality impact rated high, integrity impact none, and availability impact low. No patch or official remediation guidance has been provided yet.

Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to perform Blind SQL Injection attacks, potentially leading to unauthorized disclosure of sensitive information from the backend database. The integrity of data is not impacted, but availability may be slightly affected. The vulnerability poses a critical risk due to the ease of exploitation and the high confidentiality impact.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling or removing the affected plugin version to mitigate risk. Monitor official sources for updates and apply patches promptly once available.