Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
The Form Maker by 10Web plugin for WordPress is vulnerable to SQL Injection via the 'ip_search', 'startdate', 'enddate', 'username_search', and 'useremail_search' parameters in all versions up to, and including, 1.15.40. This is due to the WDW_FM_Library::validate_data() method calling stripslashes() on user input (removing WordPress's wp_magic_quotes() protection) and the FMModelSubmissions_fm::get_labels_parameters() function directly concatenating user-supplied values into SQL queries without using $wpdb->prepare(). This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Additionally, the Submissions controller skips nonce verification for the display task, which means this vulnerability can be triggered via CSRF by tricking an administrator into clicking a crafted link.
AnalysisAI
SQL injection in Form Maker by 10Web WordPress plugin (versions ≤1.15.40) allows authenticated administrators to extract sensitive database information via unsanitized parameters (ip_search, startdate, enddate, username_search, useremail_search) in the Submissions display function. The vulnerability stems from the validate_data() method stripping WordPress's magic quotes protection and get_labels_parameters() concatenating user input directly into SQL queries without prepared statements. A CSRF vector exists because the vulnerable display task lacks nonce verification, enabling attackers to trick administrators into triggering the injection via a crafted link. Exploitation requires Administrator-level privileges but can be chained with CSRF for unauthorized triggering.
Technical ContextAI
The Form Maker by 10Web plugin mishandles user input in two critical locations: the WDW_FM_Library::validate_data() method calls stripslashes() on user-supplied values, explicitly removing WordPress's wp_magic_quotes() protection mechanism designed to prevent SQL injection. Subsequently, the FMModelSubmissions_fm::get_labels_parameters() function concatenates these unsanitized values directly into SQL queries without using the WordPress $wpdb->prepare() prepared statement API (CWE-89: Improper Neutralization of Special Elements used in an SQL Command). The vulnerable parameters (ip_search, startdate, enddate, username_search, useremail_search) are processed through this chain when the Submissions controller handles the display task. Critically, the Submissions_fm controller omits nonce verification (wp_verify_nonce) for the display task action, creating a secondary CSRF vulnerability that allows remote attackers to trigger the SQL injection by manipulating an authenticated administrator into clicking a malicious link. This combination violates WordPress security best practices: input sanitization, parameterized queries, and CSRF tokens.
RemediationAI
Update Form Maker by 10Web to version 1.15.41 or later immediately, as the vulnerability affects all versions through 1.15.40. The patch must address three components: (1) removal of the stripslashes() call in WDW_FM_Library::validate_data() to preserve WordPress's native magic quotes protection, (2) refactoring FMModelSubmissions_fm::get_labels_parameters() to use $wpdb->prepare() for all SQL queries, and (3) adding wp_verify_nonce() validation to the Submissions controller's display task to prevent CSRF exploitation. Administrators should verify the patch is applied by checking the plugin version in the WordPress admin dashboard (Plugins > Installed Plugins) or via the plugin's code repository. Until patching, mitigate the CSRF vector by disabling the display task endpoint if not actively used (requires custom code modification) or by restricting Administrator role to only essential personnel. Do not rely on WAF rules alone, as SQL injection may evade basic signature detection when obfuscated via CSRF payloads. Refer to the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/5e383b8a-27e5-4b35-8d11-6e4102255d44?source=cve for vendor confirmation and patch release timeline.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23352
GHSA-88f4-qv6h-wgph