Description
The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the 'groupids' parameter in all versions up to, and including, 1.15.43 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2026-06-18
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Form Maker by 10Web plugin for WordPress and allows a generic SQL injection through the 'groupids' request parameter. Insufficient escaping and missing SQL preparation enable authenticated users with administrator-level privileges to append malicious SQL statements to the existing query. This can lead to extraction of sensitive database content, compromising confidentiality of stored data.

Affected Systems

All installations of the Form Maker by 10Web plugin for WordPress up to and including version 1.15.43 are affected. The flaw exists in every release version through 1.15.43 and is not present beyond that point. Sites using any of these versions are at risk if they grant administrator or higher access to users.

Risk and Exploitability

The CVSS v3 score of 4.9 classifies the flaw as moderate severity. The EPSS score of less than 1% indicates a very low probability of exploitation in the wild, and the vulnerability is not listed in CISA’s KEV catalog. Nevertheless, the attack vector is inferred to be an authenticated session with administrator or higher privileges; an attacker must have such access to exploit the vulnerability. Once exploited, the attacker can read arbitrary data from the database by injecting additional SQL queries.

Generated by OpenCVE AI on June 18, 2026 at 17:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Form Maker by 10Web plugin to a version newer than 1.15.43, where the SQL injection issue has been fixed.
  • If an immediate update is not possible, limit administrator-level accounts to trusted users only and monitor and audit admin activity closely to mitigate the risk of malicious exploitation.
  • In custom code that processes the 'groupids' parameter, enforce proper input validation and use prepared statements or parameterized queries to prevent injection attacks.

Generated by OpenCVE AI on June 18, 2026 at 17:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared 10web
10web form Maker By 10web – Mobile-friendly Drag & Drop Contact Form Builder
Wordpress
Wordpress wordpress
Vendors & Products 10web
10web form Maker By 10web – Mobile-friendly Drag & Drop Contact Form Builder
Wordpress
Wordpress wordpress
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the 'groupids' parameter in all versions up to, and including, 1.15.43 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Form Maker by 10Web <= 1.15.43 - Authenticated (Adminsitrator+) SQL Injection via 'groupids' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

10web Form Maker By 10web – Mobile-friendly Drag & Drop Contact Form Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-18T18:26:17.993Z

Reserved: 2026-06-09T12:09:35.358Z

Link: CVE-2026-11776

cve-icon Vulnrichment

Updated: 2026-06-18T18:21:41.902Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T19:15:02Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')