Form Maker by 10Web <= 1.15.43 - Authenticated (Administrator+) SQL Injection via 'name' Parameter
Description
The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the 'name' parameter in all versions up to, and including, 1.15.43 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"Insufficient escaping on the user-supplied 'name' parameter and lack of prepared statement preparation in the SQL query allow SQL injection."
Attack vector
An attacker with administrator-level access to the WordPress admin panel sends a crafted request containing malicious SQL in the 'name' parameter. The plugin's insufficient escaping and lack of prepared statement preparation [ref_id=1] cause the injected SQL to be appended to the existing query, enabling extraction of sensitive database contents. The attack requires authentication and admin privileges, but no special network position beyond standard HTTP access to the admin dashboard.
Affected code
The vulnerability resides in the Form Maker plugin's handling of the 'name' parameter within the admin-facing SQL query logic. The code at `form-maker.php` (around line 911) and the associated `WDW_FM_Library` class fail to properly escape and prepare user-supplied input before incorporating it into SQL statements. The advisory confirms that insufficient escaping and lack of prepared statements in the SQL query allow an authenticated administrator to inject arbitrary SQL via the 'name' parameter.
What the fix does
The advisory does not include a patch diff, but the recommended fix is to properly escape the 'name' parameter and use prepared statements (parameterized queries) in the SQL query. Without a published patch, the vendor would need to replace the vulnerable direct string interpolation with a prepared statement that binds the 'name' value safely, preventing any injected SQL from being executed.
Preconditions
- authAttacker must have administrator-level access to the WordPress admin panel.
- inputThe vulnerable 'name' parameter must be accepted and processed by the SQL query without proper escaping or preparation.
Generated on Jun 18, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- plugins.trac.wordpress.org/browser/form-maker/tags/1.15.41/admin/controllers/Select_data_from_db.phpmitre
- plugins.trac.wordpress.org/browser/form-maker/tags/1.15.41/admin/models/FMSelectDataFromDb.phpmitre
- plugins.trac.wordpress.org/browser/form-maker/tags/1.15.41/admin/models/FMSelectDataFromDb.phpmitre
- plugins.trac.wordpress.org/browser/form-maker/tags/1.15.41/form-maker.phpmitre
- plugins.trac.wordpress.org/browser/form-maker/tags/1.15.43/admin/controllers/Select_data_from_db.phpmitre
- plugins.trac.wordpress.org/browser/form-maker/tags/1.15.43/admin/models/FMSelectDataFromDb.phpmitre
- plugins.trac.wordpress.org/browser/form-maker/tags/1.15.43/admin/models/FMSelectDataFromDb.phpmitre
- plugins.trac.wordpress.org/browser/form-maker/tags/1.15.43/form-maker.phpmitre
- plugins.trac.wordpress.org/changesetmitre
- www.wordfence.com/threat-intel/vulnerabilities/id/513f407d-e90f-4fd1-82dd-c28bab9f76d0mitre
News mentions
0No linked articles in our index yet.