Skip to main content

Form Maker 10Web CVE-2026-11777

| EUVDEUVD-2026-37838 MEDIUM
SQL Injection (CWE-89)
2026-06-18 Wordfence GHSA-h24f-c2f9-rj3m
4.9
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
4.9 MEDIUM

Administrator authentication mandates PR:H; read-only database extraction drives C:H with no integrity or availability impact warranting I:N/A:N.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 18, 2026 - 06:16 vuln.today
CVE Published
Jun 18, 2026 - 04:31 cve.org
MEDIUM 4.9

DescriptionCVE.org

The Form Maker by 10Web - Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the 'name' parameter in all versions up to, and including, 1.15.43 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

AnalysisAI

SQL Injection in the Form Maker by 10Web WordPress plugin (all versions up to and including 1.15.43) enables authenticated administrators to append arbitrary SQL clauses via the unsanitized 'name' parameter in the admin-side data selection interface, permitting full read access to the underlying WordPress database. The CVSS vector confirms a high confidentiality impact (C:H) but no integrity or availability impact, scoped exclusively to the vulnerable system. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain WordPress admin credentials
Delivery
Authenticate to /wp-admin/ backend
Exploit
Navigate to Form Maker plugin admin data interface
Execution
Inject SQL payload via 'name' parameter
Persist
Trigger unsanitized query execution in FMSelectDataFromDb.php
Impact
Exfiltrate sensitive database content

Vulnerability AssessmentAI

Exploitation Exploitation requires an active WordPress session authenticated at the administrator privilege level (PR:H per CVSS:3.1 vector) - subscriber, contributor, author, or editor roles are insufficient. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS base score of 4.9 is calibrated correctly for this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has acquired WordPress administrator credentials - via phishing, credential stuffing against the wp-login.php endpoint, or lateral movement from another compromised account - authenticates to the WordPress admin panel and accesses the Form Maker plugin's admin data selection interface. The attacker submits a crafted 'name' parameter value containing SQL injection syntax (e.g., a UNION SELECT payload or time-based blind injection string) to the Select_data_from_db controller, causing the backend to execute the injected query against the WordPress database and return sensitive table contents such as wp_users hashed passwords, email addresses, or stored form submission data. …
Remediation A patch commit has been applied to the WordPress plugin repository (changeset 3567408, available at https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3567408%40form-maker&new=3567408%40form-maker), addressing the unsanitized 'name' parameter in FMSelectDataFromDb.php and Select_data_from_db.php. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11777 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy