Form Maker By 10Web – Mobile Friendly Drag & Drop Contact Form Builder
Approved changes feed: RSS · Atom
cpe:2.3:a:10web:form_maker_by_10web_–_mobile-friendly_drag_&_drop_contact_form_builder:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | 10Web (a48aaa7e-f686-5cd9-9b59-60b5c3bf60d0) |
|---|---|
| Product | Form Maker By 10Web – Mobile Friendly Drag & Drop Contact Form Builder (672f1322-5934-5d2b-8ae0-8f6a6e7b90c6) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-4388 |
vulnerable | 2026-06-08 08:05:13.310764 |
Form Maker by 10Web <= 1.15.40 - Unauthenticated Stored Cross-Site Scripting via Matrix Field Text Box
HIGH (7.2)
The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Matrix field (Text Box input type) in form submissions in all versions up to, and including, 1.15.40. This is due to insufficient input sanitization (`sanitize_text_field` strips tags but not quotes) and missing output escaping when rendering submission data in the admin Submissions view. This makes it possible for unauthenticated attackers to inject arbitrary JavaScript through a form submission that executes in the browser of an administrator who views the submission details.
Published: 2026-04-14T02:25:48.339Z
Updated: 2026-04-14T14:04:52.784Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-3359 |
vulnerable | 2026-06-08 08:01:18.515315 |
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder <= 1.15.42 - Unauthenticated SQL Injection via 'inputs'
HIGH (7.5)
The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to SQL Injection via the 'inputs' parameter in versions up to, and including, 1.15.42 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2026-05-05T07:42:06.700Z
Updated: 2026-05-06T12:37:03.067Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-3330 |
vulnerable | 2026-06-08 08:01:18.405244 |
Form Maker by 10Web <= 1.15.40 - Authenticated (Administrator+) SQL Injection via 'ip_search' Parameter
MEDIUM (4.9)
The Form Maker by 10Web plugin for WordPress is vulnerable to SQL Injection via the 'ip_search', 'startdate', 'enddate', 'username_search', and 'useremail_search' parameters in all versions up to, and including, 1.15.40. This is due to the `WDW_FM_Library::validate_data()` method calling `stripslashes()` on user input (removing WordPress's `wp_magic_quotes()` protection) and the `FMModelSubmissions_fm::get_labels_parameters()` function directly concatenating user-supplied values into SQL queries without using `$wpdb->prepare()`. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Additionally, the Submissions controller skips nonce verification for the `display` task, which means this vulnerability can be triggered via CSRF by tricking an administrator into clicking a crafted link.
Published: 2026-04-17T03:36:43.818Z
Updated: 2026-04-17T11:15:39.808Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1065 |
vulnerable | 2026-06-08 07:47:14.280218 |
Form Maker by 10Web <= 1.15.35 - Unauthenticated Stored Cross-Site Scripting via SVG file
HIGH (7.2)
The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.15.35. This is due to the plugin's default file upload allowlist including SVG files combined with weak substring-based extension validation. This makes it possible for unauthenticated attackers to upload malicious SVG files containing JavaScript code that will execute when viewed by administrators or site visitors via file upload fields in forms granted they can submit forms.
Published: 2026-02-03T06:38:04.369Z
Updated: 2026-04-08T17:03:54.659Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1058 |
vulnerable | 2026-06-08 07:47:14.271431 |
Form Maker by 10Web <= 1.15.35 - Unauthenticated Stored Cross-Site Scripting via Hidden Field
HIGH (7.1)
The Form Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via hidden field values in all versions up to, and including, 1.15.35. This is due to insufficient output escaping when displaying hidden field values in the admin submissions list. The plugin uses html_entity_decode() on user-supplied hidden field values without subsequent escaping before output, which converts HTML entity-encoded payloads back into executable JavaScript. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in the admin submissions view that will execute whenever an administrator accesses the submissions list.
Published: 2026-02-03T06:38:05.509Z
Updated: 2026-04-08T17:28:49.695Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8633 |
vulnerable | 2026-06-08 07:00:25.303328 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-5020 |
vulnerable | 2026-06-08 06:56:14.619728 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-2258 |
vulnerable | 2026-06-08 06:33:30.719643 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-2112 |
vulnerable | 2026-06-08 06:33:30.365087 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-10265 |
vulnerable | 2026-06-08 06:22:03.877724 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-0667 |
vulnerable | 2026-06-08 06:22:01.677138 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.