Skip to main content

Form Maker by 10Web CVE-2026-11776

| EUVDEUVD-2026-37842 MEDIUM
SQL Injection (CWE-89)
2026-06-18 Wordfence GHSA-m85c-v3hh-52xc
4.9
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
4.9 MEDIUM

Plugin is network-accessible via WordPress admin; administrator authentication required (PR:H); read-only database extraction means C:H with I:N and A:N.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 18, 2026 - 06:19 vuln.today
CVE Published
Jun 18, 2026 - 04:31 cve.org
MEDIUM 4.9

DescriptionCVE.org

The Form Maker by 10Web - Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the 'groupids' parameter in all versions up to, and including, 1.15.43 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

AnalysisAI

SQL injection in the Form Maker by 10Web WordPress plugin exposes the WordPress database to authenticated admin-level attackers via the unsanitized 'groupids' parameter. All plugin versions through 1.15.43 are affected across multiple code paths in WDW_FM_Library.php and Generete_csv.php. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain WordPress administrator credentials
Delivery
Authenticate to WordPress admin panel
Exploit
Submit crafted 'groupids' payload to vulnerable form group or CSV export endpoint
Execution
Inject appended SQL into existing query
Impact
Extract sensitive rows from WordPress database

Vulnerability AssessmentAI

Exploitation Exploitation requires an active, authenticated WordPress session with administrator-level privileges or higher (PR:H per CVSS). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 4.9 reflects the administrator privilege requirement (PR:H), which substantially reduces exploitability compared to unauthenticated SQL injection findings. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has gained WordPress administrator credentials - through phishing, credential stuffing, or internal privilege abuse - navigates to an admin panel feature that processes the 'groupids' parameter (such as form group management or CSV export). By appending SQL syntax to the 'groupids' value, the attacker injects a UNION-based or boolean-based SQL clause into the existing query, enabling extraction of arbitrary rows from the WordPress database including wp_users password hashes, plugin configuration data, or stored form submission content. …
Remediation A patch has been committed to the WordPress plugin repository per the referenced changeset (revision 3567408 at https://plugins.trac.wordpress.org/changeset?reponame=&old=3567408%40form-maker&new=3567408%40form-maker), however the exact released patched version number is not independently confirmed from the available data - site administrators should update to the latest available version of Form Maker by 10Web beyond 1.15.43 via the WordPress dashboard and verify the installed version exceeds the last confirmed vulnerable release. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11776 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy