CVE-2018-25346

HIGH 7.1

WordPress Form Maker Plugin 1.12.24 SQL Injection via admin-ajax.php

CVSS Score

7.1

EPSS Score

0.0%

EPSS Percentile

8th

WordPress Form Maker Plugin 1.12.24 and below contains SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries by injecting SQL code through the FormMakerSQLMapping and generete_csv actions. Attackers can submit POST requests with malicious SQL payloads in the name and search_labels parameters to extract, modify, or escalate privileges within the WordPress database.

CWE	CWE-89
Vendor	10web
Product	form maker
Published	May 23, 2026
Last Updated	May 26, 2026

Stay Ahead of the Next One

Get instant alerts for 10web form maker

Be the first to know when new high vulnerabilities affecting 10web form maker are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

Affected Versions

10Web / Form Maker

0 ≤ 1.12.24

References

NVD ↗ CVE.org ↗ EPSS Data ↗

exploit-db.com: https://www.exploit-db.com/exploits/44853 vulncheck.com: https://www.vulncheck.com/advisories/wordpress-form-maker-plugin-sql-injection-via-admin-ajax-php

Credits

Neven Biruski