CVE-2019-10866

CRITICAL

10web Form Maker < 1.13.3 - SQL Injection via Submissioc Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-10866. PoCs published by Daniele Scanu.

AI-analyzed exploit summary This exploit demonstrates a time-based SQL injection vulnerability in WordPress Plugin Form Maker 1.13.3, allowing an attacker to dump the admin password by leveraging the vulnerable 'order_by' parameter.

Description

In the Form Maker plugin before 1.13.3 for WordPress, it's possible to achieve SQL injection in the function get_labels_parameters in the file form-maker/admin/models/Submissions_fm.php with a crafted value of the /models/Submissioc parameter.

Exploits (1)

exploitdb WORKING POC

by Daniele Scanu · textwebappsphp

https://www.exploit-db.com/exploits/46958

View Code ZIP pw:eip

This exploit demonstrates a time-based SQL injection vulnerability in WordPress Plugin Form Maker 1.13.3, allowing an attacker to dump the admin password by leveraging the vulnerable 'order_by' parameter.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: WordPress Plugin Form Maker 1.13.3

Auth required

Prerequisites: Valid WordPress credentials · Access to the vulnerable endpoint

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Release Notes, Third Party Advisory x_refsource_misc

https://wordpress.org/plugins/form-maker/#developers

Exploit, Mailing List, Third Party Advisory x_refsource_misc

http://seclists.org/fulldisclosure/2019/May/8

Third Party Advisory x_refsource_misc

https://wpvulndb.com/vulnerabilities/9286

Scores

CVSS v3 9.8

EPSS 0.0621

EPSS Percentile 92.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (1)

10web/form_maker < 1.13.3

Published May 23, 2019

Tracked Since Feb 18, 2026