CVE-2022-3300

CWE-89 — SQL Injection3 documents3 sources

Severity

7.2HIGH

EPSS

0.8%

top 25.87%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown Form Maker BY 10web – Mobile-friendly Drag & Drop Contact Form Builder 10web Form Maker

Timeline

PublishedOct 25

Description

The Form Maker by 10Web WordPress plugin before 1.15.6 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

▶NVD10web/form_maker< 1.15.6

▶CVEListV5unknown/form_maker_by_10web_–_mobile-friendly_drag_&_drop_contact_form_builder1.15.6 — 1.15.6

🔴Vulnerability Details

CVEList

Form Maker by 10Web < 1.15.6 - Admin+ SQLI↗2022-10-25

▶

GHSA

GHSA-hpgh-grq3-j653: The Form Maker by 10Web WordPress plugin before 1↗2022-10-25

▶