Description
WordPress Form Maker Plugin 1.12.24 and below contains SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries by injecting SQL code through the FormMakerSQLMapping and generete_csv actions. Attackers can submit POST requests with malicious SQL payloads in the name and search_labels parameters to extract, modify, or escalate privileges within the WordPress database.
Published: 2026-05-23
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows authenticated users to inject arbitrary SQL code via specific POST actions in the Form Maker plugin. By manipulating the name and search_labels parameters sent to admin-ajax.php, an attacker can read, alter, or elevate permissions on the WordPress database, giving direct access to sensitive data and the ability to modify site content or structure.

Affected Systems

The flaw affects the 10Web Form Maker plugin for WordPress, specifically version 1.12.24 and all earlier releases. WordPress installations that have this plugin active, especially those with administrative accounts, are vulnerable.

Risk and Exploitability

The CVSS score of 7.1 classifies this as high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Because the exploit requires authentication, the attack vector is local but still dangerous for sites with weak access controls; the potential for data exfiltration or privilege escalation remains high until the plugin is patched or removed.

Generated by OpenCVE AI on May 23, 2026 at 19:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Form Maker plugin to a version newer than 1.12.24.
  • If an update is not feasible, disable or uninstall the Form Maker plugin immediately to eliminate the injection point.
  • Restrict administrative access to the WordPress site to trusted users only and enable two-factor authentication for all accounts.
  • Deploy a web application firewall that inspects POST requests for suspicious patterns in the name and search_labels fields.

Generated by OpenCVE AI on May 23, 2026 at 19:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 23 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 23 May 2026 18:45:00 +0000

Type Values Removed Values Added
Description WordPress Form Maker Plugin 1.12.24 and below contains SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries by injecting SQL code through the FormMakerSQLMapping and generete_csv actions. Attackers can submit POST requests with malicious SQL payloads in the name and search_labels parameters to extract, modify, or escalate privileges within the WordPress database.
Title WordPress Form Maker Plugin 1.12.24 SQL Injection via admin-ajax.php
First Time appeared 10web
10web form Maker
Weaknesses CWE-89
CPEs cpe:2.3:a:10web:form_maker:*:*:*:*:*:wordpress:*:*
Vendors & Products 10web
10web form Maker
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

10web Form Maker
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-23T18:30:48.238Z

Reserved: 2026-05-23T14:49:40.257Z

Link: CVE-2018-25346

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-23T20:30:25Z

Weaknesses