Description
The Form Maker by 10Web WordPress plugin before 1.15.38 does not properly prepare SQL queries when the "MySQL Mapping" feature is in use, which could make SQL Injection attacks possible in certain contexts.
Published: 2026-04-13
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection may allow unauthorized database access or manipulation
Action: Patch
AI Analysis

Impact

The Form Maker WordPress plugin fails to properly prepare SQL queries when its "MySQL Mapping" feature is active, which could allow an attacker to inject arbitrary SQL. Based on the description, it is inferred that this flaw could expose the database to unauthorized reads, writes, or deletions, impacting the confidentiality and integrity of site data.

Affected Systems

WordPress sites that have the Form Maker plugin by 10Web installed at a version prior to 1.15.38 and have enabled the MySQL Mapping feature are affected.

Risk and Exploitability

The available data does not provide a CVSS or EPSS score, so the severity cannot be quantified. The flaw is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker could exploit the vulnerability by supplying malicious input through the plugin’s form interface, enabling execution of unintended SQL statements if the MySQL Mapping feature is engaged.

Generated by OpenCVE AI on April 13, 2026 at 08:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Form Maker to version 1.15.38 or later
  • If upgrading is not immediately possible, disable the MySQL Mapping feature to prevent exploitation
  • Verify that all SQL queries handled by the plugin use prepared statements or proper escaping

Generated by OpenCVE AI on April 13, 2026 at 08:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared 10web
10web form Maker
Wordpress
Wordpress wordpress
Vendors & Products 10web
10web form Maker
Wordpress
Wordpress wordpress

Mon, 13 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
Description The Form Maker by 10Web WordPress plugin before 1.15.38 does not properly prepare SQL queries when the "MySQL Mapping" feature is in use, which could make SQL Injection attacks possible in certain contexts.
Title Form Maker < 1.15.38 - SQL Injection
References

Subscriptions

10web Form Maker
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-04-13T15:04:26.883Z

Reserved: 2026-01-02T16:38:55.479Z

Link: CVE-2025-15441

cve-icon Vulnrichment

Updated: 2026-04-13T15:04:23.419Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-13T07:16:07.213

Modified: 2026-04-13T16:16:23.300

Link: CVE-2025-15441

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:52:47Z

Weaknesses