CVE-2025-15441
SQL Injection in Form Maker by 10Web WordPress Plugin
Publication date: 2026-04-13
Last updated on: 2026-04-13
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| 10web | form_maker | to 1.15.38 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-15441 is a vulnerability in the WordPress plugin Form Maker by 10Web, affecting versions before 1.15.38. The issue arises because the plugin does not properly prepare SQL queries when the "MySQL Mapping" feature is enabled.
This improper handling allows attackers to perform SQL Injection attacks by injecting malicious SQL code through form inputs. For example, an attacker can insert a payload that causes the database to execute unintended commands, such as delaying the server response, which confirms the vulnerability.
The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) and is part of the OWASP Top 10 category A1: Injection.
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute arbitrary SQL commands on the affected website's database. This can lead to unauthorized data access, data modification, or denial of service by causing delays or crashes.
Specifically, an attacker could exploit this flaw to manipulate or extract sensitive information stored in the database, potentially compromising the confidentiality and integrity of the data.
Additionally, the vulnerability can be exploited without authentication, increasing the risk and ease of attack.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This SQL Injection vulnerability can be detected by testing the Form Maker plugin's "MySQL Mapping" feature for improper query handling.
- Navigate to Form Maker > Forms > Form Options > MySQL Mapping in the WordPress admin panel.
- Create a SQL query targeting a database table, for example: INSERT INTO wp_options (option_name, option_value) VALUES ('sqli_test', {1}) where {1} is the first input field ID.
- On the front-end form page, enter the payload `1 AND SLEEP(10)` into the input field corresponding to {1}.
- Submit the form and observe the server response time.
If the server response is delayed by approximately 10 seconds, it confirms that the injected SQL command was executed, indicating the presence of the SQL Injection vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation step is to update the Form Maker plugin to version 1.15.38 or later, where this SQL Injection vulnerability has been fixed.
Until the update can be applied, consider disabling the "MySQL Mapping" feature in the plugin settings to prevent exploitation.
Additionally, monitor your web application logs for suspicious input patterns and consider implementing web application firewall (WAF) rules to block SQL Injection attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is an SQL Injection flaw that allows attackers to execute arbitrary SQL commands, potentially leading to unauthorized access or manipulation of sensitive data stored in the database.
Such unauthorized access or data manipulation can result in breaches of data confidentiality and integrity, which are critical requirements under common standards and regulations like GDPR and HIPAA.
Therefore, if exploited, this vulnerability could lead to non-compliance with these regulations due to potential exposure or alteration of protected personal or health information.