Approved changes feed: RSS · Atom

cpe:2.3:a:10web:form_maker_by_10web_–_mobile-friendly_drag_&_drop_contact_form_builder:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor10Web (a48aaa7e-f686-5cd9-9b59-60b5c3bf60d0)
ProductForm Maker By 10Web – Mobile Friendly Drag & Drop Contact Form Builder (672f1322-5934-5d2b-8ae0-8f6a6e7b90c6)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from gcve-enriched-dumps CVE data

PURL mappings

PURLSourceLast updated
No PURL mappings for this CPE yet.

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2026-4388 vulnerable 2026-06-08 08:05:13.310764 Form Maker by 10Web <= 1.15.40 - Unauthenticated Stored Cross-Site Scripting via Matrix Field Text Box
HIGH (7.2)
The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Matrix field (Text Box input type) in form submissions in all versions up to, and including, 1.15.40. This is due to insufficient input sanitization (`sanitize_text_field` strips tags but not quotes) and missing output escaping when rendering submission data in the admin Submissions view. This makes it possible for unauthenticated attackers to inject arbitrary JavaScript through a form submission that executes in the browser of an administrator who views the submission details.
Published: 2026-04-14T02:25:48.339Z
Updated: 2026-04-14T14:04:52.784Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-3359 vulnerable 2026-06-08 08:01:18.515315 Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder <= 1.15.42 - Unauthenticated SQL Injection via 'inputs'
HIGH (7.5)
The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to SQL Injection via the 'inputs' parameter in versions up to, and including, 1.15.42 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2026-05-05T07:42:06.700Z
Updated: 2026-05-06T12:37:03.067Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-3330 vulnerable 2026-06-08 08:01:18.405244 Form Maker by 10Web <= 1.15.40 - Authenticated (Administrator+) SQL Injection via 'ip_search' Parameter
MEDIUM (4.9)
The Form Maker by 10Web plugin for WordPress is vulnerable to SQL Injection via the 'ip_search', 'startdate', 'enddate', 'username_search', and 'useremail_search' parameters in all versions up to, and including, 1.15.40. This is due to the `WDW_FM_Library::validate_data()` method calling `stripslashes()` on user input (removing WordPress's `wp_magic_quotes()` protection) and the `FMModelSubmissions_fm::get_labels_parameters()` function directly concatenating user-supplied values into SQL queries without using `$wpdb->prepare()`. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Additionally, the Submissions controller skips nonce verification for the `display` task, which means this vulnerability can be triggered via CSRF by tricking an administrator into clicking a crafted link.
Published: 2026-04-17T03:36:43.818Z
Updated: 2026-04-17T11:15:39.808Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-1065 vulnerable 2026-06-08 07:47:14.280218 Form Maker by 10Web <= 1.15.35 - Unauthenticated Stored Cross-Site Scripting via SVG file
HIGH (7.2)
The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.15.35. This is due to the plugin's default file upload allowlist including SVG files combined with weak substring-based extension validation. This makes it possible for unauthenticated attackers to upload malicious SVG files containing JavaScript code that will execute when viewed by administrators or site visitors via file upload fields in forms granted they can submit forms.
Published: 2026-02-03T06:38:04.369Z
Updated: 2026-04-08T17:03:54.659Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-1058 vulnerable 2026-06-08 07:47:14.271431 Form Maker by 10Web <= 1.15.35 - Unauthenticated Stored Cross-Site Scripting via Hidden Field
HIGH (7.1)
The Form Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via hidden field values in all versions up to, and including, 1.15.35. This is due to insufficient output escaping when displaying hidden field values in the admin submissions list. The plugin uses html_entity_decode() on user-supplied hidden field values without subsequent escaping before output, which converts HTML entity-encoded payloads back into executable JavaScript. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in the admin submissions view that will execute whenever an administrator accesses the submissions list.
Published: 2026-02-03T06:38:05.509Z
Updated: 2026-04-08T17:28:49.695Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-8633 vulnerable 2026-06-08 07:00:25.303328 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-5020 vulnerable 2026-06-08 06:56:14.619728 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-2258 vulnerable 2026-06-08 06:33:30.719643 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-2112 vulnerable 2026-06-08 06:33:30.365087 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-10265 vulnerable 2026-06-08 06:22:03.877724 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-0667 vulnerable 2026-06-08 06:22:01.677138 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.