Form Maker by 10Web <= 1.15.43 - Authenticated (Adminsitrator+) SQL Injection via 'groupids' Parameter
Description
The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the 'groupids' parameter in all versions up to, and including, 1.15.43 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"Insufficient escaping on the user-supplied 'groupids' parameter and lack of prepared statement usage in the SQL query allow generic SQL injection."
Attack vector
An authenticated attacker with administrator-level access sends a crafted HTTP request to one of the plugin's admin AJAX endpoints, supplying a malicious value in the `groupids` parameter. Because the plugin fails to escape the user-supplied parameter and does not use prepared statements, the attacker can append arbitrary SQL clauses to the existing query. This allows extraction of sensitive information from the WordPress database, such as user credentials or other protected data [CWE-89].
Affected code
The vulnerability resides in the `groupids` parameter handling within the Form Maker plugin's admin AJAX actions. The code at `form-maker.php` registers multiple `wp_ajax_` hooks that route to `form_maker_ajax`, where the `groupids` parameter is used in SQL queries without proper escaping or prepared statement preparation. The patch is not included in the bundle, but the advisory identifies the `groupids` parameter as the injection point.
What the fix does
The advisory states that the fix requires proper escaping of the `groupids` parameter and use of prepared statements in the SQL query. No patch diff is provided in the bundle, so the exact code changes are unknown. The remediation guidance is to upgrade to a patched version where the plugin correctly parameterizes the query and escapes user input before it reaches the database.
Preconditions
- authAttacker must be authenticated with administrator-level access or higher.
- configThe Form Maker plugin must be installed and active in version up to 1.15.43.
- networkAttacker must be able to send HTTP requests to the WordPress admin AJAX endpoints.
- inputThe 'groupids' parameter must be accepted and processed by the vulnerable endpoint.
Generated on Jun 18, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- plugins.trac.wordpress.org/browser/form-maker/tags/1.15.41/admin/controllers/Generete_csv.phpmitre
- plugins.trac.wordpress.org/browser/form-maker/tags/1.15.41/form-maker.phpmitre
- plugins.trac.wordpress.org/browser/form-maker/tags/1.15.41/framework/WDW_FM_Library.phpmitre
- plugins.trac.wordpress.org/browser/form-maker/tags/1.15.41/framework/WDW_FM_Library.phpmitre
- plugins.trac.wordpress.org/browser/form-maker/tags/1.15.43/admin/controllers/Generete_csv.phpmitre
- plugins.trac.wordpress.org/browser/form-maker/tags/1.15.43/form-maker.phpmitre
- plugins.trac.wordpress.org/browser/form-maker/tags/1.15.43/framework/WDW_FM_Library.phpmitre
- plugins.trac.wordpress.org/browser/form-maker/tags/1.15.43/framework/WDW_FM_Library.phpmitre
- plugins.trac.wordpress.org/changesetmitre
- www.wordfence.com/threat-intel/vulnerabilities/id/b7850e73-8ffd-46d4-97c6-5343486a31dcmitre
News mentions
0No linked articles in our index yet.