CVE-2019-10866

CRITICAL

10web Form Maker < 1.13.3 - SQL Injection

Title source: rule

Description

In the Form Maker plugin before 1.13.3 for WordPress, it's possible to achieve SQL injection in the function get_labels_parameters in the file form-maker/admin/models/Submissions_fm.php with a crafted value of the /models/Submissioc parameter.

Exploits (1)

exploitdb WORKING POC

by Daniele Scanu · textwebappsphp

https://www.exploit-db.com/exploits/46958

View Code ZIP pw:eip

References (3)

[Exploit, Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2019/May/8

[Release Notes, Third Party Advisory] https://wordpress.org/plugins/form-maker/#developers

[Third Party Advisory] https://wpvulndb.com/vulnerabilities/9286

Scores

CVSS v3 9.8

EPSS 0.1350

EPSS Percentile 94.2%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (1)

10web/form_maker < 1.13.3

Published May 23, 2019

Tracked Since Feb 18, 2026