Form Maker By 10Web Mobile Friendly Drag Drop Contact Form Builder
Monthly
SQL injection in the Form Maker by 10Web WordPress plugin exposes the WordPress database to authenticated admin-level attackers via the unsanitized 'groupids' parameter. All plugin versions through 1.15.43 are affected across multiple code paths in WDW_FM_Library.php and Generete_csv.php. No active exploitation is confirmed (not in CISA KEV), and exploitation is constrained by the administrator privilege requirement, though the high confidentiality impact from unrestricted database read access remains a meaningful concern for multi-tenant or shared WordPress environments.
SQL Injection in the Form Maker by 10Web WordPress plugin (all versions up to and including 1.15.43) enables authenticated administrators to append arbitrary SQL clauses via the unsanitized 'name' parameter in the admin-side data selection interface, permitting full read access to the underlying WordPress database. The CVSS vector confirms a high confidentiality impact (C:H) but no integrity or availability impact, scoped exclusively to the vulnerable system. No active exploitation is confirmed (not listed in CISA KEV), no public POC has been identified at time of analysis, and the mandatory administrator-level authentication prerequisite substantially constrains real-world mass exploitation risk.
SQL injection in the Form Maker by 10Web WordPress plugin exposes the WordPress database to authenticated admin-level attackers via the unsanitized 'groupids' parameter. All plugin versions through 1.15.43 are affected across multiple code paths in WDW_FM_Library.php and Generete_csv.php. No active exploitation is confirmed (not in CISA KEV), and exploitation is constrained by the administrator privilege requirement, though the high confidentiality impact from unrestricted database read access remains a meaningful concern for multi-tenant or shared WordPress environments.
SQL Injection in the Form Maker by 10Web WordPress plugin (all versions up to and including 1.15.43) enables authenticated administrators to append arbitrary SQL clauses via the unsanitized 'name' parameter in the admin-side data selection interface, permitting full read access to the underlying WordPress database. The CVSS vector confirms a high confidentiality impact (C:H) but no integrity or availability impact, scoped exclusively to the vulnerable system. No active exploitation is confirmed (not listed in CISA KEV), no public POC has been identified at time of analysis, and the mandatory administrator-level authentication prerequisite substantially constrains real-world mass exploitation risk.