Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder, CVE-2018-25346
- CVE, Research URL
- Home page URL
- Published on
- May 23, 2026
- Research Description
- Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder [form-maker] <= 1.12.24 (unfixed) CVE-2018-25346 [en] WordPress Form Maker Plugin 1.12.24 and below contains SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries by injecting SQL code through the FormMakerSQLMapping and generete_csv actions. Attackers can submit POST requests with malicious SQL payloads in the name and search_labels parameters to extract, modify, or escalate privileges within the WordPress database.
- Affected versions
-
max 1.12.24.
- Status
-
vulnerable