cbcvebase.
CVE-2019-10866
published 2019-05-23

CVE-2019-10866: In the Form Maker plugin before 1.13.3 for WordPress, it's possible to achieve SQL injection in the function get_labels_parameters in the file…

PriorityP262critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
6.21%
92.6th percentile
In the Form Maker plugin before 1.13.3 for WordPress, it's possible to achieve SQL injection in the function get_labels_parameters in the file form-maker/admin/models/Submissions_fm.php with a crafted value of the /models/Submissioc parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
10webform_maker< 1.13.31.13.3

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://localhost/wordpress/wp-admin/admin.php?page=submissions_fm&task=display&current_id=2&order_by=group_id&asc_or_desc=
path/wp-admin/admin.php?page=submissions_fm&task=display
pathform-maker/admin/models/Submissions_fm.php
command,(case+when+(select+ascii(substring(user_pass,<N>,<N>))+from+wp_users+where+id%3d1)%3d<ORD>+then+(select+sleep(<TIME>)+from+wp_users+limit+1)+else+2+end)+asc%3b
  • Monitor GET requests to wp-admin/admin.php with query parameters page=submissions_fm and asc_or_desc containing SQL time-based blind injection payloads (e.g., CASE/WHEN/SLEEP constructs, URL-encoded SQL keywords such as %3d, %3b, +select+, +sleep+).
  • The vulnerable injection point is the asc_or_desc parameter in the submissions_fm admin page; alert on any non-standard values (anything other than 'asc' or 'desc') in this parameter.
  • Time-based blind SQLi exploitation pattern: repeated requests to the same endpoint with incrementing substring index values and measurable response delays (~0.5s threshold) indicate automated password enumeration from wp_users table.
  • Exploit requires an authenticated WordPress admin session; correlate suspicious wp-login.php POST events immediately followed by anomalous submissions_fm GET requests with SQL-like asc_or_desc values.
  • ·The exploit targets versions before 1.13.3 of the Form Maker plugin; the NVD description references 1.13.3 as the fixed version boundary — ensure plugin version is confirmed before applying detections.
  • ·The exploit requires authenticated access (WordPress admin credentials); unauthenticated exploitation is not demonstrated, so detections should focus on authenticated admin sessions.
  • ·The PoC uses a hardcoded TIME threshold of 0.5 seconds for sleep-based detection; real-world attackers may tune this value, so time-based detection rules should use a range rather than a fixed threshold.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.