CVE-2025-7638 is a medium-severity SQL Injection vulnerability affecting the WordPress plugin 'Forminator Forms – Contact Form, Payment Form & Custom Form Builder' developed by wpmudev. This vulnerability exists in all versions up to and including 1.45.0. The root cause is improper neutralization of special elements used in SQL commands (CWE-89), specifically via the 'order_by' parameter. The plugin fails to properly escape or prepare the user-supplied 'order_by' parameter before incorporating it into SQL queries. As a result, authenticated users with Administrator-level privileges or higher can inject additional SQL commands into existing queries. This injection is time-based, meaning attackers can infer data by measuring response delays, allowing them to extract sensitive information from the database without direct error messages or visible output. The vulnerability does not require user interaction beyond authentication, and the attacker must have high privileges, which limits the attack surface but still poses a significant risk if an administrator account is compromised or malicious. The CVSS v3.1 score is 4.9 (medium), reflecting the network attack vector, low attack complexity, requirement for high privileges, no user interaction, unchanged scope, high confidentiality impact, and no impact on integrity or availability. No known exploits are currently reported in the wild, and no official patches are linked yet. The vulnerability was publicly disclosed on July 18, 2025.

For European organizations, this vulnerability poses a risk primarily to websites and services using WordPress with the Forminator Forms plugin installed and active. Since the vulnerability requires administrator-level access, the primary impact vector is through compromised or malicious admin accounts. Successful exploitation can lead to unauthorized disclosure of sensitive data stored in the WordPress database, including user information, payment details, or other confidential content managed via the forms. This can result in data breaches violating GDPR and other data protection regulations, leading to legal penalties and reputational damage. Additionally, the extraction of sensitive data could facilitate further attacks such as identity theft, fraud, or lateral movement within the organization's network. Given the widespread use of WordPress in Europe, especially among SMEs and public sector entities, the vulnerability could affect a broad range of organizations if they have not updated or mitigated the risk. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits post-disclosure.

European organizations should take immediate steps to mitigate this vulnerability beyond generic advice: 1) Restrict administrator access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. 2) Monitor and audit administrator account activities for unusual behavior that might indicate exploitation attempts. 3) If possible, temporarily disable or remove the Forminator Forms plugin until a patched version is released. 4) Implement Web Application Firewall (WAF) rules that detect and block suspicious SQL injection patterns targeting the 'order_by' parameter, including time-based injection attempts. 5) Conduct thorough security reviews and penetration testing focused on WordPress plugins, especially those handling user input in SQL queries. 6) Keep WordPress core and all plugins updated regularly and subscribe to vendor security advisories to apply patches promptly once available. 7) Limit database user privileges used by WordPress to the minimum necessary to reduce potential data exposure in case of injection.