Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Remote unauthenticated SQLi (AV:N/AC:L/PR:N/UI:N) yields full DB read (C:H); minor I:L for possible log/state side effects, A:N and S:U as no cross-component impact is evidenced.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated SQL Injection in Form Maker by 10Web <= 1.15.38 versions.
AnalysisAI
Unauthenticated SQL injection in the Form Maker by 10Web WordPress plugin (versions ≤ 1.15.38) allows remote attackers to inject arbitrary SQL into backend queries without credentials, leading to database content disclosure and partial integrity/availability impact across a changed security scope. No public exploit identified at time of analysis, but the CVSS 9.3 and trivial network-reachable attack profile make this a high-priority issue for any WordPress site running the plugin. The Patchstack-coordinated disclosure indicates a vendor-tracked flaw, though no fixed version is confirmed in the supplied data.
Technical ContextAI
Form Maker by 10Web is a widely deployed WordPress plugin (CPE cpe:2.3:a:10web:form_maker_by_10web) that provides drag-and-drop form building, submission storage, and admin reporting via PHP endpoints that query the WordPress MySQL/MariaDB database. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-supplied input reaches a SQL query without proper parameterization or escaping - typically because a plugin endpoint concatenates request parameters into a query string instead of using $wpdb->prepare(). Because the CVSS vector specifies Scope:Changed, the injection likely crosses a trust boundary (e.g., a public form handler reaching data managed by other WordPress components or the broader DBMS), which is consistent with plugin endpoints registered via admin-ajax.php or REST routes that lack capability checks.
RemediationAI
No vendor-released patch identified at time of analysis in the supplied data - administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/form-maker/vulnerability/wordpress-form-maker-by-10web-plugin-1-15-38-sql-injection-vulnerability) and the WordPress.org plugin page for the next release above 1.15.38 and upgrade as soon as it is available. As compensating controls until a patched version ships, deactivate and remove the Form Maker plugin if forms are not business-critical (side effect: existing forms and submission data become inaccessible until reactivation); alternatively, place the site behind a WAF such as Patchstack, Wordfence, or Cloudflare and enable virtual patching / SQLi signature rules targeted at the plugin's admin-ajax and REST endpoints (side effect: false positives on legitimate form submissions containing SQL-like punctuation); restrict access to /wp-admin/admin-ajax.php and the plugin's REST routes by IP where feasible (side effect: breaks public form submissions, so only viable for internal-use forms); and rotate database credentials and WordPress admin passwords if compromise is suspected, since SQLi typically yields wp_users hashes.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36947
GHSA-hqwp-wgxm-88pc