Form Maker by 10Web plugin for WordPress: SQL Injection via User Search Parameters

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

4.9

Form Maker by 10Web plugin for WordPress: SQL Injection via User Search Parameters

CVE-2026-3330

Summary

The Form Maker plugin for WordPress has a security weakness that allows an attacker with administrator access to potentially access sensitive information from the database. This can be done by tricking an administrator into clicking a malicious link. To fix the issue, update the plugin to the latest version or remove it if it's not essential to your website.

Original title

Original description

The Form Maker by 10Web plugin for WordPress is vulnerable to SQL Injection via the 'ip_search', 'startdate', 'enddate', 'username_search', and 'useremail_search' parameters in all versions up to, and including, 1.15.40. This is due to the `WDW_FM_Library::validate_data()` method calling `stripslashes()` on user input (removing WordPress's `wp_magic_quotes()` protection) and the `FMModelSubmissions_fm::get_labels_parameters()` function directly concatenating user-supplied values into SQL queries without using `$wpdb->prepare()`. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Additionally, the Submissions controller skips nonce verification for the `display` task, which means this vulnerability can be triggered via CSRF by tricking an administrator into clicking a crafted link.

nvd CVSS3.1 4.9

Vulnerability type

CWE-89 SQL Injection

Published: 17 Apr 2026 · Updated: 17 Apr 2026 · First seen: 17 Apr 2026