Description
The Form Maker by 10Web plugin for WordPress is vulnerable to SQL Injection via the 'ip_search', 'startdate', 'enddate', 'username_search', and 'useremail_search' parameters in all versions up to, and including, 1.15.40. This is due to the `WDW_FM_Library::validate_data()` method calling `stripslashes()` on user input (removing WordPress's `wp_magic_quotes()` protection) and the `FMModelSubmissions_fm::get_labels_parameters()` function directly concatenating user-supplied values into SQL queries without using `$wpdb->prepare()`. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Additionally, the Submissions controller skips nonce verification for the `display` task, which means this vulnerability can be triggered via CSRF by tricking an administrator into clicking a crafted link.
Published: 2026-04-17
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Patch Immediately
AI Analysis

Impact

The vulnerability allows authenticated WordPress administrators to execute arbitrary SQL statements through malformed input sent to the 'ip_search', 'startdate', 'enddate', 'username_search', and 'useremail_search' parameters. The plugin’s validation routine removes WordPress’s magic quote protection, and the query construction directly concatenates user data without any prepared statement handling. As a result, an attacker can append additional SQL commands to the query, potentially extracting sensitive database contents. In addition, the submissions controller skips nonce verification for the display task, enabling a CSRF attack that could trigger the injection if a privileged user visits a crafted link.

Affected Systems

All instances of the 10Web Form Maker plugin for WordPress up to and including version 1.15.40 are affected. This includes any site that has installed the plugin and has users with administrator or higher privileges.

Risk and Exploitability

The flaw has a CVSS score of 4.9, indicating moderate severity. Because exploitation requires administrator access, the likelihood of successful exploitation is lower than for a public-facing vulnerability, but the presence of a CSRF vector raises the risk for compromised user sessions. EPSS data is unavailable and the vulnerability is not listed in CISA’s KEV catalog.

Generated by OpenCVE AI on April 17, 2026 at 05:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Form Maker plugin to the latest version available, which removes the vulnerable code paths.
  • If an immediate update cannot be performed, remove administrator privileges from any accounts that are not needed, and close any web interfaces that can trigger the affected admin endpoints.
  • Ensure that all admin sessions use strong, unique passwords and enable two‑factor authentication where possible to reduce the chance of credential compromise.

Generated by OpenCVE AI on April 17, 2026 at 05:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared 10web
10web form Maker By 10web – Mobile-friendly Drag & Drop Contact Form Builder
Wordpress
Wordpress wordpress
Vendors & Products 10web
10web form Maker By 10web – Mobile-friendly Drag & Drop Contact Form Builder
Wordpress
Wordpress wordpress

Fri, 17 Apr 2026 04:30:00 +0000

Type Values Removed Values Added
Description The Form Maker by 10Web plugin for WordPress is vulnerable to SQL Injection via the 'ip_search', 'startdate', 'enddate', 'username_search', and 'useremail_search' parameters in all versions up to, and including, 1.15.40. This is due to the `WDW_FM_Library::validate_data()` method calling `stripslashes()` on user input (removing WordPress's `wp_magic_quotes()` protection) and the `FMModelSubmissions_fm::get_labels_parameters()` function directly concatenating user-supplied values into SQL queries without using `$wpdb->prepare()`. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Additionally, the Submissions controller skips nonce verification for the `display` task, which means this vulnerability can be triggered via CSRF by tricking an administrator into clicking a crafted link.
Title Form Maker by 10Web <= 1.15.40 - Authenticated (Administrator+) SQL Injection via 'ip_search' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

10web Form Maker By 10web – Mobile-friendly Drag & Drop Contact Form Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-17T11:15:39.808Z

Reserved: 2026-02-27T14:37:55.825Z

Link: CVE-2026-3330

cve-icon Vulnrichment

Updated: 2026-04-17T11:15:33.371Z

cve-icon NVD

Status : Received

Published: 2026-04-17T05:16:18.080

Modified: 2026-04-17T05:16:18.080

Link: CVE-2026-3330

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T08:01:14Z

Weaknesses