[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fXXIowjmvbLG1prmmZyJZC_I5kKEGD-LZNnNZNoD_ZLo":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":29,"research_vulnerable_code":30,"research_fix_diff":31,"research_exploit_outline":32,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":36},"CVE-2026-39502","form-maker-by-10web-mobile-friendly-drag-drop-contact-form-builder-unauthenticated-sql-injection","Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder \u003C= 1.15.38 - Unauthenticated SQL Injection","The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.15.38 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","form-maker",null,"\u003C=1.15.38","1.15.39","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-04-08 00:00:00","2026-04-13 21:10:58",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F05d063e3-4863-4dd5-9219-6240b9b3f939?source=api-prod",6,[22,23,24],"form-maker.php","frontend\u002Fcontrollers\u002Fform_maker.php","readme.txt","researched",false,3,"# Exploitation Research Plan: CVE-2026-39502 (Form Maker by 10Web)\n\n## 1. Vulnerability Summary\nThe **Form Maker by 10Web** plugin (up to 1.15.38) contains an unauthenticated SQL injection vulnerability. The flaw exists because the plugin fails to properly escape or use prepared statements when processing the `formType` parameter in the `FMControllerForm_maker::display()` method, which is then passed to the `FMModelForm_maker::showform()` database query. An unauthenticated attacker can append arbitrary SQL commands to the query, allowing for sensitive data extraction.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `formmakerwdcaptcha` (registered as a `nopriv` action in `form-maker.php`, line 141)\n- **Vulnerable Parameter**: `formType`\n- **Other Required Parameters**:\n    - `controller`: `form_maker` (to route the request to the correct controller)\n    - `current_id`: A valid integer representing an existing form ID.\n- **Authentication**: None required (Unauthenticated).\n\n## 3. Code Flow\n1. **Entry Point**: A POST request is sent to `admin-ajax.php` with `action=formmakerwdcaptcha`.\n2. **Hook Execution**: WordPress fires the `wp_ajax_nopriv_formmakerwdcaptcha` hook,","The Form Maker by 10Web plugin for WordPress is vulnerable to unauthenticated SQL injection due to the lack of proper escaping and query preparation for the 'formType' parameter and other user-controlled input values. An attacker can exploit this by sending crafted AJAX requests to the 'formmakerwdcaptcha' action, allowing them to append arbitrary SQL commands and extract sensitive data from the database.","\u002F\u002F frontend\u002Fcontrollers\u002Fform_maker.php - around line 339\n    \u002F* Use for ajax submit *\u002F\n    if( WDW_FM_Library(self::PLUGIN)->get('formType') != '' ) {\n      $type = WDW_FM_Library(self::PLUGIN)->get('formType');\n      $id = WDW_FM_Library(self::PLUGIN)->get('current_id', 0, 'intval');\n    }\n\n    if ( $type == 'embedded' ) {\n      $result = $this->model->showform($id, $type);\n\n---\n\n\u002F\u002F frontend\u002Fcontrollers\u002Fform_maker.php - around line 316\n            list($input_id, $input_val) = explode('|', $val);\n            $str_key = '{'. $input_id .'}';\n            if ( strpos($params, $str_key) > -1 ) {\n              $params = str_replace( $str_key, $input_val, $params );\n            }","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fform-maker\u002F1.15.38\u002Fform-maker.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fform-maker\u002F1.15.39\u002Fform-maker.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fform-maker\u002F1.15.38\u002Fform-maker.php\t2026-03-18 10:07:04.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fform-maker\u002F1.15.39\u002Fform-maker.php\t2026-03-20 12:15:32.000000000 +0000\n@@ -3,7 +3,7 @@\n  * Plugin Name: Form Maker\n  * Plugin URI: https:\u002F\u002F10web.io\u002Fplugins\u002Fwordpress-form-maker\u002F?utm_source=form_maker&utm_medium=free_plugin\n  * Description: This plugin is a modern and advanced tool for easy and fast creating of a WordPress Form. The backend interface is intuitive and user friendly which allows users far from scripting and programming to create WordPress Forms.\n- * Version: 1.15.38\n+ * Version: 1.15.39\n  * Author: 10Web Form Builder Team\n  * Author URI: https:\u002F\u002F10web.io\u002Fplugins\u002F?utm_source=form_maker&utm_medium=free_plugin \n  * License: GNU\u002FGPLv3 http:\u002F\u002Fwww.gnu.org\u002Flicenses\u002Fgpl-3.0.html\n@@ -26,8 +26,8 @@\n   public $plugin_url = '';\n   public $front_urls = array();\n   public $main_file = '';\n-  public $plugin_version = '1.15.38';\n-  public $db_version = '2.15.38';\n+  public $plugin_version = '1.15.39';\n+  public $db_version = '2.15.39';\n   public $menu_postfix = '_fm';\n   public $plugin_postfix = '';\n   public $handle_prefix = 'fm';\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fform-maker\u002F1.15.38\u002Ffrontend\u002Fcontrollers\u002Fform_maker.php\t2022-05-17 07:34:14.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fform-maker\u002F1.15.39\u002Ffrontend\u002Fcontrollers\u002Fform_maker.php\t2026-03-20 12:15:32.000000000 +0000\n@@ -316,7 +316,9 @@\n             list($input_id, $input_val) = explode('|', $val);\n             $str_key = '{'. $input_id .'}';\n             if ( strpos($params, $str_key) > -1 ) {\n-              $params = str_replace( $str_key, $input_val, $params );\n+              \u002F\u002F Escape for safe use inside SQL WHERE (params can end up in DB-backed choice queries).\n+              $safe_val = trim( $wpdb->prepare( '%s', $input_val ), \"'\" );\n+              $params = str_replace( $str_key, $safe_val, $params );\n             }\n           }","The exploit targets the AJAX endpoint `\u002Fwp-admin\u002Fadmin-ajax.php`. An unauthenticated attacker can trigger the vulnerability by performing a POST request with the 'action' parameter set to 'formmakerwdcaptcha' (or 'nopriv_formmakerwdcaptcha'). The payload must include 'controller=form_maker', a valid 'current_id' (a numeric form ID), and the malicious SQL injection payload within the 'formType' parameter. This parameter is used to determine the form type in FMControllerForm_maker::display() and is subsequently passed to FMModelForm_maker::showform(), where it is concatenated into an SQL query without proper sanitization. Additionally, placeholders substituted into the 'params' variable are also vulnerable if they are later used in dynamic SQL queries (such as those populating select fields from a database).","gemini-3-flash-preview","2026-04-17 20:04:00","2026-04-17 20:04:58",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","1.15.38","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fform-maker\u002Ftags\u002F1.15.38","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fform-maker.1.15.38.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fform-maker\u002Ftags\u002F1.15.39","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fform-maker.1.15.39.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fform-maker\u002Ftags"]