Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder <= 1.15.42 - Unauthenticated SQL Injection via 'inputs'
Description
The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to SQL Injection via the 'inputs' parameter in versions up to, and including, 1.15.42 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NTechnical Details
What Changed in the Fix
Changes introduced in v1.15.43
Source Code
WordPress.org SVN### 1. Vulnerability Summary The **Form Maker by 10Web** plugin (versions <= 1.15.42) is vulnerable to **Unauthenticated SQL Injection** via the `inputs` parameter. The vulnerability exists because the plugin registers several unauthenticated AJAX actions (like `formmakerwdcaptcha`) that delegate …
Show full research plan
1. Vulnerability Summary
The Form Maker by 10Web plugin (versions <= 1.15.42) is vulnerable to Unauthenticated SQL Injection via the inputs parameter.
The vulnerability exists because the plugin registers several unauthenticated AJAX actions (like formmakerwdcaptcha) that delegate execution to a central administrator controller (FMControllerManage_fm) without performing any capability checks. This "action hijacking" allows an unauthenticated attacker to invoke admin-only tasks. One such task, related to displaying or filtering form submissions, uses the inputs parameter to build a SQL query.
Although the input is passed through WDW_FM_Library::get(), which uses sanitize_text_field(), this function does not escape SQL metacharacters (like single quotes). The resulting value is then interpolated directly into a SQL statement without using $wpdb->prepare(), allowing for arbitrary SQL command execution.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - AJAX Action:
formmakerwdcaptcha(Unauthenticated viawp_ajax_nopriv_) - Task/Sub-Action:
FormMakerSubmits(The internal task to hijack) - Vulnerable Parameter:
inputs - Authentication: Unauthenticated (No login required)
- Preconditions: The plugin must be active. A form should ideally exist to provide valid context, though not strictly required if targeting global tables like `wp
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.