CVE-2023-4666
- EPSS 49.81%
- Published 16.10.2023 20:15:15
- Last modified 23.04.2025 17:16:45
The Form Maker by 10Web WordPress plugin before 1.15.20 does not validate signatures when creating them on the server from user input, allowing unauthenticated users to create arbitrary files and lead to RCE
CVE-2022-3300
- EPSS 0.35%
- Published 25.10.2022 17:15:56
- Last modified 09.05.2025 19:15:55
The Form Maker by 10Web WordPress plugin before 1.15.6 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin
CVE-2022-1564
- EPSS 0.2%
- Published 30.05.2022 09:15:09
- Last modified 21.11.2024 06:40:58
The Form Maker by 10Web WordPress plugin before 1.14.12 does not sanitize and escape the Custom Text settings, which could allow high privilege user such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
CVE-2021-24526
- EPSS 0.21%
- Published 16.08.2021 11:15:08
- Last modified 21.11.2024 05:53:14
The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder WordPress plugin before 1.13.60 does not escape its Form Title before outputting it in an attribute when editing a form in the admin dashboard, leading to an authenticated Sto...
CVE-2019-10866
- EPSS 18.1%
- Published 23.05.2019 19:29:01
- Last modified 21.11.2024 04:20:00
In the Form Maker plugin before 1.13.3 for WordPress, it's possible to achieve SQL injection in the function get_labels_parameters in the file form-maker/admin/models/Submissions_fm.php with a crafted value of the /models/Submissioc parameter.
CVE-2019-11590
- EPSS 0.35%
- Published 29.04.2019 14:29:00
- Last modified 21.11.2024 04:21:23
The 10Web Form Maker plugin before 1.13.5 for WordPress allows CSRF via the wp-admin/admin-ajax.php action parameter, with resultant local file inclusion via directory traversal, because there can be a discrepancy between the $_POST['action'] value a...