A critical SQL injection vulnerability (CVE-2025-31551) has been identified in the Salesmate.io Salesmate Add-On for Gravity Forms, affecting versions up to and including 2.0.3. The flaw, rated 9.3 (CRITICAL) on the CVSS scale, allows attackers to execute arbitrary SQL commands due to improper neutralization of special elements. This vulnerability was published on April 1, 2025, and was added to the CVE database following a Patchstack audit1.
Technical Details of the Vulnerability
The vulnerability stems from insufficient input validation in the plugin’s database queries, classified under CWE-89 (SQL Injection). The CVSS v3.1 vector string (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L) indicates it is network-exploitable with low attack complexity, requiring no privileges or user interaction2. Successful exploitation could lead to unauthorized database access, including extraction of sensitive user data stored by Gravity Forms. The affected plugin is used by WordPress sites to integrate Salesmate CRM functionalities with form submissions.
Notably, this vulnerability shares its affected version range (≤2.0.3) with another recently disclosed flaw (CVE-2025-31533), which involves broken access control (CWE-862). While no public exploits have been documented for either CVE as of publication, the combination of these vulnerabilities could enable chained attacks3.
Impact and Mitigation
Organizations using the affected plugin should immediately:
- Update to a patched version if available (monitor Patchstack for updates)
- Disable the plugin if updates aren’t available
- Review server logs for suspicious SQL queries containing unusual
UNIONstatements or schema exploration attempts
For detection, security teams can monitor for abnormal HTTP requests containing SQL metacharacters (e.g., single quotes, semicolons) targeting Gravity Forms submission endpoints. Web application firewalls should be configured to block SQL injection patterns specific to this plugin’s parameter structure.
Broader Security Context
This disclosure follows a pattern of increasing vulnerabilities in WordPress CRM integrations, with 18 similar SQL injection flaws reported in comparable plugins during Q1 2025 according to Patchstack data. The Salesmate Add-On vulnerability is particularly concerning given Gravity Forms’ widespread use in enterprise environments for sensitive data collection.
Security researchers emphasize that while no exploit code is publicly available, the high CVSS score and network-based exploitability make this vulnerability a likely target for automated scanning tools. Organizations should prioritize mitigation given the typical 72-hour window between vulnerability disclosure and exploit weaponization observed in similar cases.
Conclusion
CVE-2025-31551 represents a severe threat to WordPress installations using the affected Salesmate Add-On. The combination of high impact and ease of exploitation warrants immediate action from security teams. Continuous monitoring of Patchstack and vendor channels for updates is recommended until a permanent fix is available.
References
- “CVE-2025-31551 Detail,” CVE Feed, Apr. 1, 2025. [Online]. Available: https://cvefeed.io/vuln/detail/CVE-2025-31551
- “WordPress Salesmate Add-On for Gravity Forms Plugin SQL Injection Vulnerability,” Patchstack, Apr. 1, 2025. [Online]. Available: https://patchstack.com/database/wordpress/plugin/gf-salesmate-add-on/vulnerability/wordpress-salesmate-add-on-for-gravity-forms-plugin-2-0-3-sql-injection-vulnerability
- “CVE-2025-31533: Broken Access Control Vulnerability,” Vulners, Mar. 31, 2025. [Online]. Available: https://vulners.com/cvelist/CVELIST:CVE-2025-31533
