Description
The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the 'name' parameter in all versions up to, and including, 1.15.43 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2026-06-18
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated user with administrator privileges can exploit a classic SQL Injection flaw in the Form Maker by 10Web plugin. The vulnerability stems from insufficient escaping of the 'name' parameter in database queries, allowing attackers to embed malicious SQL and retrieve sensitive data from the database. The attack is a classic CWE‑89 injection that compromises data confidentiality and could expose user credentials, contact information, and other private content stored within the WordPress site.

Affected Systems

The flaw is present in all releases of the Form Maker by 10Web – Mobile‑Friendly Drag & Drop Contact Form Builder plugin up to and including version 1.15.43. Any WordPress site running this plugin and possessing an administrator account is susceptible.

Risk and Exploitability

The CVSS score of 4.9 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Because the attack vector requires an authenticated administrator, the likelihood of exploitation depends on the strength of administrative access controls. However, once compromised, the attacker can extract arbitrary data from the database, representing a significant confidentiality risk.

Generated by OpenCVE AI on June 18, 2026 at 17:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Form Maker plugin to the latest available version that removes the injection flaw (must be newer than 1.15.43).
  • Restrict WordPress administrator accounts to trusted users only or break out roles so that the least privileged users cannot edit forms and filters.
  • Configure a web application firewall or security plugin to detect and block SQL injection attempts on the 'name' parameter, or add custom validation code that sanitizes the input before it reaches the database.

Generated by OpenCVE AI on June 18, 2026 at 17:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared 10web
10web form Maker By 10web – Mobile-friendly Drag & Drop Contact Form Builder
Wordpress
Wordpress wordpress
Vendors & Products 10web
10web form Maker By 10web – Mobile-friendly Drag & Drop Contact Form Builder
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the 'name' parameter in all versions up to, and including, 1.15.43 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Form Maker by 10Web <= 1.15.43 - Authenticated (Administrator+) SQL Injection via 'name' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Subscriptions

10web Form Maker By 10web – Mobile-friendly Drag & Drop Contact Form Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-18T15:51:32.223Z

Reserved: 2026-06-09T12:10:32.626Z

Link: CVE-2026-11777

cve-icon Vulnrichment

Updated: 2026-06-18T15:51:28.632Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T18:30:15Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')