Description
The Form Maker by 10Web WordPress plugin before 1.15.38 does not properly prepare SQL queries when the "MySQL Mapping" feature is in use, which could make SQL Injection attacks possible in certain contexts.
Published: 2026-04-13
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Patch Immediately
AI Analysis

Impact

The vulnerability lies in the Form Maker plugin for WordPress, where the MySQL Mapping feature fails to properly escape input before executing database queries. This flaw permits an attacker to inject arbitrary SQL statements, potentially modifying, deleting, or exfiltrating data stored by the site. Because the issue is tied to a plugin that runs in a web context, successful exploitation could compromise the confidentiality, integrity, or availability of database contents used by the affected WordPress installation.

Affected Systems

The affected system is the Form Maker plugin distributed by 10Web for WordPress. The flaw exists in all releases prior to version 1.15.38. Hosts running older versions of this plugin—particularly sites that have enabled the MySQL Mapping feature—are at risk. No other products or platforms are mentioned, so the scope is limited to WordPress sites using this specific plugin.

Risk and Exploitability

The CVSS base score of 6.8 places the issue in the medium severity range, indicating that a successful exploit would have non‑negligible impact. The EPSS score is below 1 %, suggesting that exploitation is relatively uncommon, and the flaw is not yet listed in CISA’s KEV catalog. Inference: the attack vector is web‑based; an attacker needs the ability to submit crafted form data or otherwise trigger the MySQL Mapping logic, which is typically accessible to authenticated or unauthenticated users, depending on plugin settings. The lack of defensive payload preparation simplifies the exploit path.

Generated by OpenCVE AI on April 13, 2026 at 18:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Form Maker plugin to version 1.15.38 or later.
  • Disable the MySQL Mapping feature if it is not required.
  • Verify that all user input is properly escaped by the plugin by testing with a web vulnerability scanner.

Generated by OpenCVE AI on April 13, 2026 at 18:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared 10web
10web form Maker
Wordpress
Wordpress wordpress
Vendors & Products 10web
10web form Maker
Wordpress
Wordpress wordpress

Mon, 13 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
Description The Form Maker by 10Web WordPress plugin before 1.15.38 does not properly prepare SQL queries when the "MySQL Mapping" feature is in use, which could make SQL Injection attacks possible in certain contexts.
Title Form Maker < 1.15.38 - SQL Injection
References

Subscriptions

10web Form Maker
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-04-13T15:04:26.883Z

Reserved: 2026-01-02T16:38:55.479Z

Link: CVE-2025-15441

cve-icon Vulnrichment

Updated: 2026-04-13T15:04:23.419Z

cve-icon NVD

Status : Deferred

Published: 2026-04-13T07:16:07.213

Modified: 2026-04-15T15:05:47.827

Link: CVE-2025-15441

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:35:24Z

Weaknesses