CVE-2026-11776

Form Maker by 10Web <= 1.15.43 - Authenticated (Adminsitrator+) SQL Injection via 'groupids' Parameter

mediumImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
4.9
CVSS Score
4.9
CVSS Score
medium
Severity
1.15.44
Patched in
1d
Time to patch

Description

The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the 'groupids' parameter in all versions up to, and including, 1.15.43 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
High
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=1.15.43
PublishedJune 17, 2026
Last updatedJune 18, 2026
Affected pluginform-maker

What Changed in the Fix

Changes introduced in v1.15.44

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill your request. I am prohibited from generating functional exploitation plans or actionable payloads for vulnerabilities in specific software. To learn more about securing WordPress applications and preventing vulnerabilities like SQL injection, you can consult resources such as the W…

Show full research plan

I cannot fulfill your request. I am prohibited from generating functional exploitation plans or actionable payloads for vulnerabilities in specific software. To learn more about securing WordPress applications and preventing vulnerabilities like SQL injection, you can consult resources such as the WordPress Plugin Handbook's section on security best practices or the OWASP SQL Injection Prevention Cheat Sheet.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Form Maker by 10Web plugin for WordPress is vulnerable to SQL Injection via the 'groupids' parameter. Authenticated administrators can bypass input sanitization because the plugin directly implodes user-provided IDs into a SQL query string without using proper placeholders or type-casting.

Vulnerable Code

// framework/WDW_FM_Library.php (approx lines 4682-4684)
$gr_ids = self::get('groupids');
$groupids = !empty($gr_ids) ? explode(',', $gr_ids) : array();

---

// framework/WDW_FM_Library.php (approx line 4748)
$query = $wpdb->prepare("SELECT `group_id`, `ip`, `date`, `user_id_wd`, GROUP_CONCAT( element_label SEPARATOR ',') AS `element_label`, GROUP_CONCAT( element_value SEPARATOR '*:*el_value*:*') AS `element_value` FROM " . $wpdb->prefix . "formmaker_submits WHERE `form_id` = %d and `group_id` IN(" . implode(',', $groupids) . ") GROUP BY `group_id` ORDER BY `date` ASC", $form_id);

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/form-maker/1.15.43/framework/WDW_FM_Library.php /home/deploy/wp-safety.org/data/plugin-versions/form-maker/1.15.44/framework/WDW_FM_Library.php
--- /home/deploy/wp-safety.org/data/plugin-versions/form-maker/1.15.43/framework/WDW_FM_Library.php	2026-04-29 13:04:48.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/form-maker/1.15.44/framework/WDW_FM_Library.php	2026-06-10 12:23:34.000000000 +0000
@@ -4680,7 +4680,7 @@
     $page_num   = self::get( 'page_num', 0, 'intval' );
     $search_labels = self::get( 'search_labels' );
     $gr_ids = self::get('groupids');
-    $groupids = !empty($gr_ids) ? explode(',', $gr_ids) : array(); //TODO??//
+    $groupids = !empty($gr_ids) ? array_map('intval', explode(',', $gr_ids)) : array();
 
     $verified_emails = isset($_REQUEST['verified_emails']) ? self::sanitize_array(json_decode(stripslashes($_REQUEST['verified_emails']), TRUE)) : array();
 
@@ -4745,7 +4745,8 @@
     $data = array();
     $is_paypal_info = FALSE;
     if ( !empty($groupids) ) {
-      $query = $wpdb->prepare("SELECT `group_id`, `ip`, `date`, `user_id_wd`, GROUP_CONCAT( element_label SEPARATOR ',') AS `element_label`, GROUP_CONCAT( element_value SEPARATOR '*:*el_value*:*') AS `element_value` FROM " . $wpdb->prefix . "formmaker_submits WHERE `form_id` = %d and `group_id" . "` IN(" . implode(',', $groupids) . ") GROUP BY `group_id` ORDER BY `date` ASC", $form_id);
+      $placeholders = implode(', ', array_fill(0, count($groupids), '%d'));
+      $query = $wpdb->prepare("SELECT `group_id`, `ip`, `date`, `user_id_wd`, GROUP_CONCAT( element_label SEPARATOR ',') AS `element_label", " `element_value` FROM " . $wpdb->prefix . "formmaker_submits WHERE `form_id` = %d and `group_id` IN(" . $placeholders . ") GROUP BY `group_id` ORDER BY `date` ASC", array_merge(array($form_id), $groupids));
       $rows = $wpdb->get_results($query, OBJECT_K);
       for ( $www = 0; $www < count($groupids); $www++ ) {
         $i = $groupids[$www];

Exploit Outline

The exploit targets functionality that handles bulk operations on form submissions (such as viewing or exporting statistics). 1. The attacker must authenticate with Administrator or higher privileges. 2. The attacker identifies an AJAX or admin page endpoint that utilizes `WDW_FM_Library::get` to retrieve the 'groupids' parameter (e.g., during submission management). 3. A crafted payload is sent via the 'groupids' parameter. For example: `groupids=1) OR (SELECT 1 FROM (SELECT(SLEEP(5)))a)--`. 4. Because the vulnerable code uses `explode(',', $gr_ids)` and then `implode(',', $groupids)` inside a SQL query without parameterizing the individual IDs, the attacker's string successfully breaks out of the `IN(...)` clause. 5. This allows for time-based or union-based SQL injection to exfiltrate database contents.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.