Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2019-10866SQL Injection in Form Maker

CWE-89SQL Injection4 documents4 sources
Severity
9.8CRITICALNVD
EPSS
13.9%
top 5.66%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
10web Form Maker
Timeline
PublishedMay 23
Latest updateMay 24

Description

In the Form Maker plugin before 1.13.3 for WordPress, it's possible to achieve SQL injection in the function get_labels_parameters in the file form-maker/admin/models/Submissions_fm.php with a crafted value of the /models/Submissioc parameter.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

NVD10web/form_maker< 1.13.3

🔴Vulnerability Details

2
GHSA
GHSA-9gwh-2w78-5vgg: In the Form Maker plugin before 12022-05-24
CVEList
CVE-2019-10866: In the Form Maker plugin before 12019-05-23

💥Exploits & PoCs

1
Exploit-DB
WordPress Plugin Form Maker 1.13.3 - SQL Injection2019-06-03
CVE-2019-10866 — SQL Injection in 10web Form Maker | cvebase