Impact
An authenticated user with administrator privileges can exploit a classic SQL Injection flaw in the Form Maker by 10Web plugin. The vulnerability stems from insufficient escaping of the 'name' parameter in database queries, allowing attackers to embed malicious SQL and retrieve sensitive data from the database. The attack is a classic CWE‑89 injection that compromises data confidentiality and could expose user credentials, contact information, and other private content stored within the WordPress site.
Affected Systems
The flaw is present in all releases of the Form Maker by 10Web – Mobile‑Friendly Drag & Drop Contact Form Builder plugin up to and including version 1.15.43. Any WordPress site running this plugin and possessing an administrator account is susceptible.
Risk and Exploitability
The CVSS score of 4.9 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Because the attack vector requires an authenticated administrator, the likelihood of exploitation depends on the strength of administrative access controls. However, once compromised, the attacker can extract arbitrary data from the database, representing a significant confidentiality risk.
OpenCVE Enrichment