CVE-2025-6783: 
WordPress vulnerability analysis and mitigation

The GoZen Forms plugin for WordPress contains a SQL Injection vulnerability (CVE-2025-6783) discovered in all versions up to and including 1.1.5. The vulnerability exists in the 'forms-id' parameter of the emdedSc() function, which lacks sufficient escaping of user-supplied parameters and proper preparation of SQL queries (NVD). The plugin was temporarily closed on July 1, 2025, pending a full security review (WordPress Plugin).

The vulnerability is classified as a SQL Injection (CWE-89) with a CVSS v3.1 Base Score of 7.5 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). The security flaw allows unauthenticated attackers to append additional SQL queries to existing queries due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation in the SQL query (NVD).

The vulnerability enables unauthenticated attackers to extract sensitive information from the database by injecting malicious SQL queries into the existing queries. This poses a significant risk to the confidentiality of data stored in WordPress installations using the affected plugin versions (NVD).

The plugin has been temporarily closed as of July 1, 2025, pending a full security review. Users are advised to disable and remove the plugin until a patched version becomes available (WordPress Plugin).