Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Administrator authentication mandates PR:H; read-only database extraction drives C:H with no integrity or availability impact warranting I:N/A:N.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Form Maker by 10Web - Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the 'name' parameter in all versions up to, and including, 1.15.43 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
AnalysisAI
SQL Injection in the Form Maker by 10Web WordPress plugin (all versions up to and including 1.15.43) enables authenticated administrators to append arbitrary SQL clauses via the unsanitized 'name' parameter in the admin-side data selection interface, permitting full read access to the underlying WordPress database. The CVSS vector confirms a high confidentiality impact (C:H) but no integrity or availability impact, scoped exclusively to the vulnerable system. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an active WordPress session authenticated at the administrator privilege level (PR:H per CVSS:3.1 vector) - subscriber, contributor, author, or editor roles are insufficient. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS base score of 4.9 is calibrated correctly for this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has acquired WordPress administrator credentials - via phishing, credential stuffing against the wp-login.php endpoint, or lateral movement from another compromised account - authenticates to the WordPress admin panel and accesses the Form Maker plugin's admin data selection interface. The attacker submits a crafted 'name' parameter value containing SQL injection syntax (e.g., a UNION SELECT payload or time-based blind injection string) to the Select_data_from_db controller, causing the backend to execute the injected query against the WordPress database and return sensitive table contents such as wp_users hashed passwords, email addresses, or stored form submission data. … |
| Remediation | A patch commit has been applied to the WordPress plugin repository (changeset 3567408, available at https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3567408%40form-maker&new=3567408%40form-maker), addressing the unsanitized 'name' parameter in FMSelectDataFromDb.php and Select_data_from_db.php. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37838
GHSA-h24f-c2f9-rj3m