Impact
An unauthenticated attacker can supply crafted input to the Form Maker by 10Web plugin, causing an SQL injection that may grant arbitrary database read, write, or delete capabilities. This flaw falls under CWE-89 and can compromise the confidentiality, integrity, and availability of the WordPress site's data.
Affected Systems
All installations of the WordPress Form Maker by 10Web plugin at version 1.15.38 or earlier are vulnerable, regardless of the underlying WordPress version.
Risk and Exploitability
The CVSS score of 9.3 marks this as a critical vulnerability, and the EPSS score indicates a low probability of exploitation in the short term, although the attack is unauthenticated. The vulnerability is not listed in the CISA KEV catalog, but its high severity warrants vigilant monitoring. Based on the description, it is inferred that the attacker could submit a malicious payload through a form endpoint, though the specific endpoint is not explicitly stated in the CVE data.
OpenCVE Enrichment