{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3330", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-27T14:37:55.825Z", "datePublished": "2026-04-17T03:36:43.818Z", "dateUpdated": "2026-04-17T03:36:43.818Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-17T03:36:43.818Z"}, "affected": [{"vendor": "10web", "product": "Form Maker by 10Web \u2013 Mobile-Friendly Drag & Drop Contact Form Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.15.40", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Form Maker by 10Web plugin for WordPress is vulnerable to SQL Injection via the 'ip_search', 'startdate', 'enddate', 'username_search', and 'useremail_search' parameters in all versions up to, and including, 1.15.40. This is due to the `WDW_FM_Library::validate_data()` method calling `stripslashes()` on user input (removing WordPress's `wp_magic_quotes()` protection) and the `FMModelSubmissions_fm::get_labels_parameters()` function directly concatenating user-supplied values into SQL queries without using `$wpdb->prepare()`. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Additionally, the Submissions controller skips nonce verification for the `display` task, which means this vulnerability can be triggered via CSRF by tricking an administrator into clicking a crafted link."}], "title": "Form Maker by 10Web <= 1.15.40 - Authenticated (Administrator+) SQL Injection via 'ip_search' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5e383b8a-27e5-4b35-8d11-6e4102255d44?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.22/admin/models/Submissions_fm.php#L154"}, {"url": "https://plugins.trac.wordpress.org/browser/form-maker/trunk/admin/models/Submissions_fm.php#L154"}, {"url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.22/framework/WDW_FM_Library.php#L415"}, {"url": "https://plugins.trac.wordpress.org/browser/form-maker/trunk/framework/WDW_FM_Library.php#L415"}, {"url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.22/admin/controllers/Submissions_fm.php#L84"}, {"url": "https://plugins.trac.wordpress.org/browser/form-maker/trunk/admin/controllers/Submissions_fm.php#L84"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3501693%40form-maker&new=3501693%40form-maker&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "cweId": "CWE-89", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Sein Linn"}], "timeline": [{"time": "2026-02-27T14:54:41.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-16T15:04:04.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Form Maker by 10Web plugin for WordPress is vulnerable to SQL Injection via the 'ip_search', 'startdate', 'enddate', 'username_search', and 'useremail_search' parameters in all versions up to, and including, 1.15.40. This is due to the `WDW_FM_Library::validate_data()` method calling `stripslashes()` on user input (removing WordPress's `wp_magic_quotes()` protection) and the `FMModelSubmissions_fm::get_labels_parameters()` function directly concatenating user-supplied values into SQL queries without using `$wpdb->prepare()`. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Additionally, the Submissions controller skips nonce verification for the `display` task, which means this vulnerability can be triggered via CSRF by tricking an administrator into clicking a crafted link."}], "id": "CVE-2026-3330", "lastModified": "2026-04-17T05:16:18.080", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-17T05:16:18.080", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.22/admin/controllers/Submissions_fm.php#L84"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.22/admin/models/Submissions_fm.php#L154"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.22/framework/WDW_FM_Library.php#L415"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/form-maker/trunk/admin/controllers/Submissions_fm.php#L84"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/form-maker/trunk/admin/models/Submissions_fm.php#L154"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/form-maker/trunk/framework/WDW_FM_Library.php#L415"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3501693%40form-maker&new=3501693%40form-maker&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5e383b8a-27e5-4b35-8d11-6e4102255d44?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T05:52:17.703384+00:00", "value": {"mitigation_remediation": ["Update the Form Maker plugin to the latest version available, which removes the vulnerable code paths.", "If an immediate update cannot be performed, remove administrator privileges from any accounts that are not needed, and close any web interfaces that can trigger the affected admin endpoints.", "Ensure that all admin sessions use strong, unique passwords and enable two\u2011factor authentication where possible to reduce the chance of credential compromise."], "summary": {"action": "Patch Immediately", "impact": "SQL Injection"}, "threat_synthesis": {"affected_systems": "All instances of the 10Web Form Maker plugin for WordPress up to and including version 1.15.40 are affected. This includes any site that has installed the plugin and has users with administrator or higher privileges.", "description_and_impact": "The vulnerability allows authenticated WordPress administrators to execute arbitrary SQL statements through malformed input sent to the 'ip_search', 'startdate', 'enddate', 'username_search', and 'useremail_search' parameters. The plugin\u2019s validation routine removes WordPress\u2019s magic quote protection, and the query construction directly concatenates user data without any prepared statement handling. As a result, an attacker can append additional SQL commands to the query, potentially extracting sensitive database contents. In addition, the submissions controller skips nonce verification for the display task, enabling a CSRF attack that could trigger the injection if a privileged user visits a crafted link.", "risk_and_exploitability": "The flaw has a CVSS score of 4.9, indicating moderate severity. Because exploitation requires administrator access, the likelihood of successful exploitation is lower than for a public-facing vulnerability, but the presence of a CSRF vector raises the risk for compromised user sessions. EPSS data is unavailable and the vulnerability is not listed in CISA\u2019s KEV catalog."}}}}, "created": "2026-04-17T06:00:09.272405+00:00", "updated": "2026-04-17T06:00:09.272418+00:00", "vendors": []}