Form Maker by 10Web < 1.13.36 – Authenticated SQL Injection

Description

Authenticated (admin+) SQL injection in the Form Maker by 10Web WordPress Plugin 1.13.35 exists via the /wordpress/wp-admin/admin.php?page=blocked_ips_fm&s=1" s parameter.

Edit (WPScanTeam):
- Initial reported version (5.4.1) does not exist, confirmed to be 1.13.35 by researcher
- May 25th, 2020 - details made public in other places
- May 26th, 2020 - Escalated to WP Plugins Team

Proof of Concept

The PoC will be displayed once the issue has been remediated.

Affects Plugins

form-maker

Fixed in 1.13.36

References

URL

https://plugins.trac.wordpress.org/changeset/2313762/form-maker

Classification

Type

SQLI

OWASP top 10

A1: Injection

CWE

CWE-89

CVSS

8.7 (high)

Miscellaneous

Original Researcher

Vu Tien Hoa - SunCSR (Sun* Cyber Security Research)

Submitter

Vu Tien Hoa

Submitter website

https://research.sun-asterisk.com/

Submitter twitter

https://twitter.com/hoavt_

Verified

WPVDB ID

4e3c4624-7ae4-415c-8e54-a4b2049a4302

Timeline

Publicly Published

2020-05-26 (about 5 years ago)

Added

2020-05-26 (about 5 years ago)

Last Updated

2020-06-05 (about 5 years ago)

Other

Published

Title

Published

2026-03-31

Title

Amelia < 2.1.3 - Authenticated (Manager+) SQL Injection via 'sort' Parameter

Published

2024-05-06

Title

Shipment Tracking, Tracking, and Order Tracking for WooCommerce – ParcelPanel (Free to install) < 3.9.0 - Authenticated (Subscriber+) SQL Injection

Published

2026-02-03

Title

Infility Global <= 2.14.46 - Unauthenticated SQL Injection via Predictable API Key and IP Whitelist Bypass

Published

2026-01-27

Title

Crete Core <= 1.4.3 - Unauthenticated SQL Injection

Published

2022-11-28

Title

JoomSport < 5.2.8 - Unauthenticated SQLi