Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder <= 1.15.38 - Unauthenticated SQL Injection
Description
The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.15.38 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NTechnical Details
What Changed in the Fix
Changes introduced in v1.15.39
Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2026-39502 (Form Maker by 10Web) ## 1. Vulnerability Summary The **Form Maker by 10Web** plugin (up to 1.15.38) contains an unauthenticated SQL injection vulnerability. The flaw exists because the plugin fails to properly escape or use prepared statements when proc…
Show full research plan
Exploitation Research Plan: CVE-2026-39502 (Form Maker by 10Web)
1. Vulnerability Summary
The Form Maker by 10Web plugin (up to 1.15.38) contains an unauthenticated SQL injection vulnerability. The flaw exists because the plugin fails to properly escape or use prepared statements when processing the formType parameter in the FMControllerForm_maker::display() method, which is then passed to the FMModelForm_maker::showform() database query. An unauthenticated attacker can append arbitrary SQL commands to the query, allowing for sensitive data extraction.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
formmakerwdcaptcha(registered as anoprivaction inform-maker.php, line 141) - Vulnerable Parameter:
formType - Other Required Parameters:
controller:form_maker(to route the request to the correct controller)current_id: A valid integer representing an existing form ID.
- Authentication: None required (Unauthenticated).
3. Code Flow
- Entry Point: A POST request is sent to
admin-ajax.phpwithaction=formmakerwdcaptcha. - Hook Execution: WordPress fires the
wp_ajax_nopriv_formmakerwdcaptchahook,
Summary
The Form Maker by 10Web plugin for WordPress is vulnerable to unauthenticated SQL injection due to the lack of proper escaping and query preparation for the 'formType' parameter and other user-controlled input values. An attacker can exploit this by sending crafted AJAX requests to the 'formmakerwdcaptcha' action, allowing them to append arbitrary SQL commands and extract sensitive data from the database.
Vulnerable Code
// frontend/controllers/form_maker.php - around line 339 /* Use for ajax submit */ if( WDW_FM_Library(self::PLUGIN)->get('formType') != '' ) { $type = WDW_FM_Library(self::PLUGIN)->get('formType'); $id = WDW_FM_Library(self::PLUGIN)->get('current_id', 0, 'intval'); } if ( $type == 'embedded' ) { $result = $this->model->showform($id, $type); --- // frontend/controllers/form_maker.php - around line 316 list($input_id, $input_val) = explode('|', $val); $str_key = '{'. $input_id .'}'; if ( strpos($params, $str_key) > -1 ) { $params = str_replace( $str_key, $input_val, $params ); }
Security Fix
@@ -3,7 +3,7 @@ * Plugin Name: Form Maker * Plugin URI: https://10web.io/plugins/wordpress-form-maker/?utm_source=form_maker&utm_medium=free_plugin * Description: This plugin is a modern and advanced tool for easy and fast creating of a WordPress Form. The backend interface is intuitive and user friendly which allows users far from scripting and programming to create WordPress Forms. - * Version: 1.15.38 + * Version: 1.15.39 * Author: 10Web Form Builder Team * Author URI: https://10web.io/plugins/?utm_source=form_maker&utm_medium=free_plugin * License: GNU/GPLv3 http://www.gnu.org/licenses/gpl-3.0.html @@ -26,8 +26,8 @@ public $plugin_url = ''; public $front_urls = array(); public $main_file = ''; - public $plugin_version = '1.15.38'; - public $db_version = '2.15.38'; + public $plugin_version = '1.15.39'; + public $db_version = '2.15.39'; public $menu_postfix = '_fm'; public $plugin_postfix = ''; public $handle_prefix = 'fm'; @@ -316,7 +316,9 @@ list($input_id, $input_val) = explode('|', $val); $str_key = '{'. $input_id .'}'; if ( strpos($params, $str_key) > -1 ) { - $params = str_replace( $str_key, $input_val, $params ); + // Escape for safe use inside SQL WHERE (params can end up in DB-backed choice queries). + $safe_val = trim( $wpdb->prepare( '%s', $input_val ), "'" ); + $params = str_replace( $str_key, $safe_val, $params ); } }
Exploit Outline
The exploit targets the AJAX endpoint `/wp-admin/admin-ajax.php`. An unauthenticated attacker can trigger the vulnerability by performing a POST request with the 'action' parameter set to 'formmakerwdcaptcha' (or 'nopriv_formmakerwdcaptcha'). The payload must include 'controller=form_maker', a valid 'current_id' (a numeric form ID), and the malicious SQL injection payload within the 'formType' parameter. This parameter is used to determine the form type in FMControllerForm_maker::display() and is subsequently passed to FMModelForm_maker::showform(), where it is concatenated into an SQL query without proper sanitization. Additionally, placeholders substituted into the 'params' variable are also vulnerable if they are later used in dynamic SQL queries (such as those populating select fields from a database).
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.