Product
WordPress Contact Form Maker Plugin version 1.12.20 is vulnerable to SQL injection, enabling authenticated attackers to manipulate database queries via AJAX actions (FormMakerSQLMapping and generete_csv_fmc) by injecting malicious SQL code through the 'name' and 'search_labels' parameters, potentially extracting sensitive database information or escalating privileges.