Form Maker by 10Web < 1.15.6 - Admin+ SQLI

Vulnerability

The Form Maker by 10Web WordPress plugin versions before 1.15.6 fails to properly sanitize and escape a parameter before using it in a SQL statement, resulting in a SQL injection vulnerability. The issue is present in the plugin's handling of user input, and it is exploitable by high-privilege users such as administrators. [1]

Exploitation

An attacker with administrator-level access to the WordPress site can exploit this vulnerability by sending a crafted request containing malicious SQL in the unsanitized parameter. No additional authentication or user interaction is required beyond having admin privileges. The exact parameter and endpoint are not publicly detailed, but the WPScan advisory confirms the vulnerability is exploitable. [1]

Impact

Successful exploitation allows the attacker to execute arbitrary SQL queries against the WordPress database. This can lead to extraction of sensitive data (e.g., user credentials, configuration), modification or deletion of database content, and potentially further compromise of the site. The attacker already has admin privileges, so the impact is an escalation from admin to full database control. [1]

Mitigation

The vulnerability is fixed in version 1.15.6 of the Form Maker by 10Web plugin. Users should update to this version or later. No workarounds are provided. The plugin is actively maintained, and the fix was released on October 3, 2022. [1]