Search

Find a vulnerability

Search criteria

    26 vulnerabilities found for Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder by 10web

    CVE-2026-11777 (GCVE-0-2026-11777)

    Vulnerability from nvd – Published: 2026-06-18 04:31 – Updated: 2026-06-18 15:51
    VLAI
    Title
    Form Maker by 10Web <= 1.15.43 - Authenticated (Administrator+) SQL Injection via 'name' Parameter
    Summary
    The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the 'name' parameter in all versions up to, and including, 1.15.43 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Credits
    Muhammad Arsalan Diponegoro
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11777",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-18T15:51:24.472711Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-18T15:51:32.223Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder",
              "vendor": "10web",
              "versions": [
                {
                  "lessThanOrEqual": "1.15.43",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Muhammad Arsalan Diponegoro"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the \u0027name\u0027 parameter in all versions up to, and including, 1.15.43 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-18T04:31:08.180Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/513f407d-e90f-4fd1-82dd-c28bab9f76d0?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.43/admin/models/FMSelectDataFromDb.php#L94"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.43/admin/models/FMSelectDataFromDb.php#L88"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.43/admin/controllers/Select_data_from_db.php#L84"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.43/form-maker.php#L911"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.41/admin/models/FMSelectDataFromDb.php#L94"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.41/admin/models/FMSelectDataFromDb.php#L88"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.41/admin/controllers/Select_data_from_db.php#L84"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.41/form-maker.php#L911"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3567408%40form-maker\u0026new=3567408%40form-maker\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-09T12:25:42.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-06-17T16:12:22.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Form Maker by 10Web \u003c= 1.15.43 - Authenticated (Administrator+) SQL Injection via \u0027name\u0027 Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-11777",
        "datePublished": "2026-06-18T04:31:08.180Z",
        "dateReserved": "2026-06-09T12:10:32.626Z",
        "dateUpdated": "2026-06-18T15:51:32.223Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11776 (GCVE-0-2026-11776)

    Vulnerability from nvd – Published: 2026-06-18 04:31 – Updated: 2026-06-18 18:26
    VLAI
    Title
    Form Maker by 10Web <= 1.15.43 - Authenticated (Adminsitrator+) SQL Injection via 'groupids' Parameter
    Summary
    The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the 'groupids' parameter in all versions up to, and including, 1.15.43 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Credits
    Muhammad Arsalan Diponegoro
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11776",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-18T18:21:39.150284Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-18T18:26:17.993Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder",
              "vendor": "10web",
              "versions": [
                {
                  "lessThanOrEqual": "1.15.43",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Muhammad Arsalan Diponegoro"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the \u0027groupids\u0027 parameter in all versions up to, and including, 1.15.43 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-18T04:31:09.688Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b7850e73-8ffd-46d4-97c6-5343486a31dc?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.43/framework/WDW_FM_Library.php#L4748"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.43/framework/WDW_FM_Library.php#L4682"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.43/admin/controllers/Generete_csv.php#L33"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.43/form-maker.php#L873"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.41/framework/WDW_FM_Library.php#L4748"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.41/framework/WDW_FM_Library.php#L4682"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.41/admin/controllers/Generete_csv.php#L33"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.41/form-maker.php#L873"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3567408%40form-maker\u0026new=3567408%40form-maker\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-09T12:24:43.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-06-17T16:13:22.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Form Maker by 10Web \u003c= 1.15.43 - Authenticated (Adminsitrator+) SQL Injection via \u0027groupids\u0027 Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-11776",
        "datePublished": "2026-06-18T04:31:09.688Z",
        "dateReserved": "2026-06-09T12:09:35.358Z",
        "dateUpdated": "2026-06-18T18:26:17.993Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-3359 (GCVE-0-2026-3359)

    Vulnerability from nvd – Published: 2026-05-05 07:42 – Updated: 2026-05-06 12:37
    VLAI
    Title
    Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder <= 1.15.42 - Unauthenticated SQL Injection via 'inputs'
    Summary
    The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to SQL Injection via the 'inputs' parameter in versions up to, and including, 1.15.42 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Credits
    M Indra Purnama
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-3359",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-06T12:36:06.401408Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-06T12:37:03.067Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder",
              "vendor": "10web",
              "versions": [
                {
                  "lessThanOrEqual": "1.15.42",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "M Indra Purnama"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder plugin for WordPress is vulnerable to SQL Injection via the \u0027inputs\u0027 parameter in versions up to, and including, 1.15.42 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-05T07:42:06.700Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f37cc880-d8a4-431a-9639-abf01163030a?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3518461/form-maker"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-02-27T18:52:04.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-05-04T18:43:52.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder \u003c= 1.15.42 - Unauthenticated SQL Injection via \u0027inputs\u0027"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-3359",
        "datePublished": "2026-05-05T07:42:06.700Z",
        "dateReserved": "2026-02-27T18:36:25.127Z",
        "dateUpdated": "2026-05-06T12:37:03.067Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-3330 (GCVE-0-2026-3330)

    Vulnerability from nvd – Published: 2026-04-17 03:36 – Updated: 2026-04-17 11:15
    VLAI
    Title
    Form Maker by 10Web <= 1.15.40 - Authenticated (Administrator+) SQL Injection via 'ip_search' Parameter
    Summary
    The Form Maker by 10Web plugin for WordPress is vulnerable to SQL Injection via the 'ip_search', 'startdate', 'enddate', 'username_search', and 'useremail_search' parameters in all versions up to, and including, 1.15.40. This is due to the `WDW_FM_Library::validate_data()` method calling `stripslashes()` on user input (removing WordPress's `wp_magic_quotes()` protection) and the `FMModelSubmissions_fm::get_labels_parameters()` function directly concatenating user-supplied values into SQL queries without using `$wpdb->prepare()`. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Additionally, the Submissions controller skips nonce verification for the `display` task, which means this vulnerability can be triggered via CSRF by tricking an administrator into clicking a crafted link.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Credits
    Sein Linn
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-3330",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-17T11:15:17.474910Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-17T11:15:39.808Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder",
              "vendor": "10web",
              "versions": [
                {
                  "lessThanOrEqual": "1.15.40",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sein Linn"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Form Maker by 10Web plugin for WordPress is vulnerable to SQL Injection via the \u0027ip_search\u0027, \u0027startdate\u0027, \u0027enddate\u0027, \u0027username_search\u0027, and \u0027useremail_search\u0027 parameters in all versions up to, and including, 1.15.40. This is due to the `WDW_FM_Library::validate_data()` method calling `stripslashes()` on user input (removing WordPress\u0027s `wp_magic_quotes()` protection) and the `FMModelSubmissions_fm::get_labels_parameters()` function directly concatenating user-supplied values into SQL queries without using `$wpdb-\u003eprepare()`. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Additionally, the Submissions controller skips nonce verification for the `display` task, which means this vulnerability can be triggered via CSRF by tricking an administrator into clicking a crafted link."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-17T03:36:43.818Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5e383b8a-27e5-4b35-8d11-6e4102255d44?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.22/admin/models/Submissions_fm.php#L154"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/trunk/admin/models/Submissions_fm.php#L154"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.22/framework/WDW_FM_Library.php#L415"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/trunk/framework/WDW_FM_Library.php#L415"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.22/admin/controllers/Submissions_fm.php#L84"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/trunk/admin/controllers/Submissions_fm.php#L84"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3501693%40form-maker\u0026new=3501693%40form-maker\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-02-27T14:54:41.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-04-16T15:04:04.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Form Maker by 10Web \u003c= 1.15.40 - Authenticated (Administrator+) SQL Injection via \u0027ip_search\u0027 Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-3330",
        "datePublished": "2026-04-17T03:36:43.818Z",
        "dateReserved": "2026-02-27T14:37:55.825Z",
        "dateUpdated": "2026-04-17T11:15:39.808Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-4388 (GCVE-0-2026-4388)

    Vulnerability from nvd – Published: 2026-04-14 02:25 – Updated: 2026-04-14 14:04
    VLAI
    Title
    Form Maker by 10Web <= 1.15.40 - Unauthenticated Stored Cross-Site Scripting via Matrix Field Text Box
    Summary
    The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Matrix field (Text Box input type) in form submissions in all versions up to, and including, 1.15.40. This is due to insufficient input sanitization (`sanitize_text_field` strips tags but not quotes) and missing output escaping when rendering submission data in the admin Submissions view. This makes it possible for unauthenticated attackers to inject arbitrary JavaScript through a form submission that executes in the browser of an administrator who views the submission details.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Naoya Takahashi
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-4388",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-14T14:02:24.488962Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-14T14:04:52.784Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder",
              "vendor": "10web",
              "versions": [
                {
                  "lessThanOrEqual": "1.15.40",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Naoya Takahashi"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Matrix field (Text Box input type) in form submissions in all versions up to, and including, 1.15.40. This is due to insufficient input sanitization (`sanitize_text_field` strips tags but not quotes) and missing output escaping when rendering submission data in the admin Submissions view. This makes it possible for unauthenticated attackers to inject arbitrary JavaScript through a form submission that executes in the browser of an administrator who views the submission details."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-14T02:25:48.339Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/197449f5-9304-49df-9261-a354145fc00e?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.37/admin/views/FormMakerSubmits.php#L169"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.37/admin/views/FormMakerSubmits.php#L166"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.37/frontend/models/form_maker.php#L2352"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3501693%40form-maker%2Ftrunk\u0026old=3492680%40form-maker%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-03-18T14:25:04.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-04-13T13:52:02.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Form Maker by 10Web \u003c= 1.15.40 - Unauthenticated Stored Cross-Site Scripting via Matrix Field Text Box"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-4388",
        "datePublished": "2026-04-14T02:25:48.339Z",
        "dateReserved": "2026-03-18T14:09:39.621Z",
        "dateUpdated": "2026-04-14T14:04:52.784Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-1065 (GCVE-0-2026-1065)

    Vulnerability from nvd – Published: 2026-02-03 06:38 – Updated: 2026-04-08 17:03
    VLAI
    Title
    Form Maker by 10Web <= 1.15.35 - Unauthenticated Stored Cross-Site Scripting via SVG file
    Summary
    The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.15.35. This is due to the plugin's default file upload allowlist including SVG files combined with weak substring-based extension validation. This makes it possible for unauthenticated attackers to upload malicious SVG files containing JavaScript code that will execute when viewed by administrators or site visitors via file upload fields in forms granted they can submit forms.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    Impacted products
    Credits
    Supakiad S.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-1065",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-03T15:29:03.731766Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-03T15:30:36.400Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder",
              "vendor": "10web",
              "versions": [
                {
                  "lessThanOrEqual": "1.15.35",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Supakiad S."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.15.35. This is due to the plugin\u0027s default file upload allowlist including SVG files combined with weak substring-based extension validation. This makes it possible for unauthenticated attackers to upload malicious SVG files containing JavaScript code that will execute when viewed by administrators or site visitors via file upload fields in forms granted they can submit forms."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:03:54.659Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8230d5f8-01d9-465a-8a43-e9852248bb3d?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.34/js/add_field.js#L2364"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.34/frontend/models/form_maker.php#L1744"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.34/frontend/models/form_maker.php#L1855"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3447011%40form-maker%2Ftrunk\u0026old=3440395%40form-maker%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-01-16T19:31:56.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-02-02T18:12:37.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Form Maker by 10Web \u003c= 1.15.35 - Unauthenticated Stored Cross-Site Scripting via SVG file"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-1065",
        "datePublished": "2026-02-03T06:38:04.369Z",
        "dateReserved": "2026-01-16T19:16:43.079Z",
        "dateUpdated": "2026-04-08T17:03:54.659Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-1058 (GCVE-0-2026-1058)

    Vulnerability from nvd – Published: 2026-02-03 06:38 – Updated: 2026-04-08 17:28
    VLAI
    Title
    Form Maker by 10Web <= 1.15.35 - Unauthenticated Stored Cross-Site Scripting via Hidden Field
    Summary
    The Form Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via hidden field values in all versions up to, and including, 1.15.35. This is due to insufficient output escaping when displaying hidden field values in the admin submissions list. The plugin uses html_entity_decode() on user-supplied hidden field values without subsequent escaping before output, which converts HTML entity-encoded payloads back into executable JavaScript. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in the admin submissions view that will execute whenever an administrator accesses the submissions list.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Supakiad S.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-1058",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-03T15:25:59.393794Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-03T15:30:21.249Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder",
              "vendor": "10web",
              "versions": [
                {
                  "lessThanOrEqual": "1.15.35",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Supakiad S."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Form Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via hidden field values in all versions up to, and including, 1.15.35. This is due to insufficient output escaping when displaying hidden field values in the admin submissions list. The plugin uses html_entity_decode() on user-supplied hidden field values without subsequent escaping before output, which converts HTML entity-encoded payloads back into executable JavaScript. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in the admin submissions view that will execute whenever an administrator accesses the submissions list."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:28:49.695Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e0ec0027-2792-4069-b413-8fdd951f5fe7?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.34/admin/views/Submissions_fm.php#L759"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3447011%40form-maker%2Ftrunk\u0026old=3440395%40form-maker%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-01-16T18:36:05.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-02-02T18:21:06.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Form Maker by 10Web \u003c= 1.15.35 - Unauthenticated Stored Cross-Site Scripting via Hidden Field"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-1058",
        "datePublished": "2026-02-03T06:38:05.509Z",
        "dateReserved": "2026-01-16T18:20:44.141Z",
        "dateUpdated": "2026-04-08T17:28:49.695Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-5020 (GCVE-0-2024-5020)

    Vulnerability from nvd – Published: 2024-12-04 08:22 – Updated: 2026-04-08 17:27
    VLAI
    Title
    Multiple Plugins <= (Various Versions) - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via FancyBox JavaScript Library
    Summary
    Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled FancyBox JavaScript library (versions 1.3.4 to 3.5.7) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    extendthemes Colibri Page Builder Affected: 0 , ≤ 1.0.286 (semver)
    Create a notification for this product.
    smub Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More Affected: 0 , ≤ 1.8.15 (semver)
    Create a notification for this product.
    bqworks Accordion Slider Affected: 0 , ≤ 1.9.12 (semver)
    Create a notification for this product.
    10web Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder Affected: 0 , ≤ 1.15.27 (semver)
    Create a notification for this product.
    jetmonsters Getwid – Gutenberg Blocks Affected: 0 , ≤ 2.0.11 (semver)
    Create a notification for this product.
    firelightwp Firelight Lightbox Affected: 0 , ≤ 2.3.3 (semver)
    Create a notification for this product.
    dfactory Responsive Lightbox & Gallery Affected: 0 , ≤ 2.4.8 (semver)
    Create a notification for this product.
    shapedplugin Carousel, Slider, Photo Gallery with Lightbox, Video Slider, by WP Carousel Affected: 0 , ≤ 2.6.8 (semver)
    Create a notification for this product.
    colorlibplugins FancyBox for WordPress Affected: 0 , ≤ 3.3.4 (semver)
    Create a notification for this product.
    nko Visual Portfolio, Photo Gallery & Post Grid Affected: 0 , ≤ 3.3.9 (semver)
    Create a notification for this product.
    smub Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery Affected: 0 , ≤ 3.59.4 (semver)
    Create a notification for this product.
    wpclever WPC Smart Quick View for WooCommerce Affected: 0 , ≤ 4.1.1 (semver)
    Create a notification for this product.
    posimyththemes Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder Affected: 0 , ≤ 4.3.1 (semver)
    Create a notification for this product.
    Easy Social Feed Easy Social Feed Premium Affected: 0 , ≤ 6.6.2 (semver)
    Create a notification for this product.
    foliovision FV Flowplayer Video Player Affected: 0 , ≤ 7.5.47.7212 (semver)
    Create a notification for this product.
    Credits
    Craig Smith
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-5020",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-04T14:02:27.273797Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-04T14:09:09.188Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Colibri Page Builder",
              "vendor": "extendthemes",
              "versions": [
                {
                  "lessThanOrEqual": "1.0.286",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Envira Gallery \u2013 Image Photo Gallery, Albums, Video Gallery, Slideshows \u0026 More",
              "vendor": "smub",
              "versions": [
                {
                  "lessThanOrEqual": "1.8.15",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Accordion Slider",
              "vendor": "bqworks",
              "versions": [
                {
                  "lessThanOrEqual": "1.9.12",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder",
              "vendor": "10web",
              "versions": [
                {
                  "lessThanOrEqual": "1.15.27",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Getwid \u2013 Gutenberg Blocks",
              "vendor": "jetmonsters",
              "versions": [
                {
                  "lessThanOrEqual": "2.0.11",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Firelight Lightbox",
              "vendor": "firelightwp",
              "versions": [
                {
                  "lessThanOrEqual": "2.3.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Responsive Lightbox \u0026 Gallery",
              "vendor": "dfactory",
              "versions": [
                {
                  "lessThanOrEqual": "2.4.8",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Carousel, Slider, Photo Gallery with Lightbox, Video Slider, by WP Carousel",
              "vendor": "shapedplugin",
              "versions": [
                {
                  "lessThanOrEqual": "2.6.8",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "FancyBox for WordPress",
              "vendor": "colorlibplugins",
              "versions": [
                {
                  "lessThanOrEqual": "3.3.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Visual Portfolio, Photo Gallery \u0026 Post Grid",
              "vendor": "nko",
              "versions": [
                {
                  "lessThanOrEqual": "3.3.9",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Photo Gallery, Sliders, Proofing and Themes \u2013 NextGEN Gallery",
              "vendor": "smub",
              "versions": [
                {
                  "lessThanOrEqual": "3.59.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WPC Smart Quick View for WooCommerce",
              "vendor": "wpclever",
              "versions": [
                {
                  "lessThanOrEqual": "4.1.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Nexter Blocks \u2013 Gutenberg Blocks, Page Builder \u0026 AI Website Builder",
              "vendor": "posimyththemes",
              "versions": [
                {
                  "lessThanOrEqual": "4.3.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Easy Social Feed Premium",
              "vendor": "Easy Social Feed",
              "versions": [
                {
                  "lessThanOrEqual": "6.6.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "FV Flowplayer Video Player",
              "vendor": "foliovision",
              "versions": [
                {
                  "lessThanOrEqual": "7.5.47.7212",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Craig Smith"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin\u0027s bundled FancyBox JavaScript library (versions 1.3.4 to 3.5.7) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:27:10.759Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d99d4b9a-aa09-434d-91a8-7afaa0e8b5db?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3150376/woo-smart-quick-view"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3153081/colibri-page-builder"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3157076/nextgen-gallery"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3158415/envira-gallery-lite"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3156791/form-maker"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3160432/visual-portfolio"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3161422/fv-wordpress-flowplayer"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3160232/easy-fancybox"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3161892/wp-carousel-free"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3173097/responsive-lightbox"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3175577%40getwid%2Ftrunk\u0026old=3119180%40getwid%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3186301%40fancybox-for-wordpress%2Ftrunk\u0026old=3058912%40fancybox-for-wordpress%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3169926/accordion-slider"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3306189%40the-plus-addons-for-block-editor\u0026new=3306189%40the-plus-addons-for-block-editor\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-06-13T17:22:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2024-12-03T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Multiple Plugins \u003c= (Various Versions) - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via FancyBox JavaScript Library"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-5020",
        "datePublished": "2024-12-04T08:22:46.855Z",
        "dateReserved": "2024-05-16T16:50:11.363Z",
        "dateUpdated": "2026-04-08T17:27:10.759Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-10265 (GCVE-0-2024-10265)

    Vulnerability from nvd – Published: 2024-11-10 12:30 – Updated: 2026-04-08 16:35
    VLAI
    Title
    Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder <= 1.15.30 - Reflected Cross-Site Scripting via add_query_arg Parameter
    Summary
    The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.15.30. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    vgo0
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-10265",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-11T11:48:32.094450Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-11T11:48:50.475Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder",
              "vendor": "10web",
              "versions": [
                {
                  "lessThanOrEqual": "1.15.30",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "vgo0"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.15.30. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:35:49.711Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0fb1a2c2-581d-47ed-a180-9f70fdf79066?source=cve"
            },
            {
              "url": "https://wordpress.org/plugins/form-maker/#developers"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/trunk/wd/includes/notices.php#L199"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3183170/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-11-10T00:07:43.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder \u003c= 1.15.30 - Reflected Cross-Site Scripting via add_query_arg Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-10265",
        "datePublished": "2024-11-10T12:30:34.046Z",
        "dateReserved": "2024-10-22T21:27:50.370Z",
        "dateUpdated": "2026-04-08T16:35:49.711Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-8633 (GCVE-0-2024-8633)

    Vulnerability from nvd – Published: 2024-09-26 11:32 – Updated: 2026-04-08 16:43
    VLAI
    Title
    Form Maker <= 1.15.27 - Authenticated (Administrator+) Stored Cross-Site Scripting
    Summary
    The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.15.27 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Joel Indra
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8633",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-26T12:59:51.877806Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-26T13:00:04.135Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder",
              "vendor": "10web",
              "versions": [
                {
                  "lessThanOrEqual": "1.15.27",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Joel Indra"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.15.27 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:43:39.596Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2b32cc12-c8d5-40b8-9510-42699beec581?source=cve"
            },
            {
              "url": "https://wordpress.org/plugins/form-maker/#developers"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3156791/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-09-25T23:14:51.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Form Maker \u003c= 1.15.27 - Authenticated (Administrator+) Stored Cross-Site Scripting"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-8633",
        "datePublished": "2024-09-26T11:32:38.668Z",
        "dateReserved": "2024-09-09T21:45:49.230Z",
        "dateUpdated": "2026-04-08T16:43:39.596Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-2258 (GCVE-0-2024-2258)

    Vulnerability from nvd – Published: 2024-04-27 03:33 – Updated: 2026-04-08 17:15
    VLAI
    Title
    Form Maker by 10Web <= 1.15.24 - Authenticated (Subscriber+) Stored Self-Based Cross-Site Scripting
    Summary
    The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a user's display name autofilled into forms in all versions up to, and including, 1.15.24 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    10web Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder Affected: 0 , ≤ 1.15.24 (semver)
    Create a notification for this product.
    wordpress form_maker_by_10web Affected: - , ≤ 1.15.24 (custom)
        cpe:2.3:a:wordpress:form_maker_by_10web:-:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Matthew Rollings
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:wordpress:form_maker_by_10web:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "form_maker_by_10web",
                "vendor": "wordpress",
                "versions": [
                  {
                    "lessThanOrEqual": "1.15.24",
                    "status": "affected",
                    "version": "-",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-2258",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-01T15:44:25.877484Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:30:27.169Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T19:03:39.193Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/af1075a5-9efa-4b86-9798-6dbafcba4db5?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/3071515"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder",
              "vendor": "10web",
              "versions": [
                {
                  "lessThanOrEqual": "1.15.24",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Matthew Rollings"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a user\u0027s display name autofilled into forms in all versions up to, and including, 1.15.24 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:15:29.153Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/af1075a5-9efa-4b86-9798-6dbafcba4db5?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3071515"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-04-26T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Form Maker by 10Web \u003c= 1.15.24 - Authenticated (Subscriber+) Stored Self-Based Cross-Site Scripting"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-2258",
        "datePublished": "2024-04-27T03:33:35.216Z",
        "dateReserved": "2024-03-07T09:55:25.687Z",
        "dateUpdated": "2026-04-08T17:15:29.153Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-2112 (GCVE-0-2024-2112)

    Vulnerability from nvd – Published: 2024-04-09 18:58 – Updated: 2026-04-08 16:53
    VLAI
    Title
    Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder <= 1.15.22 - Sensitive Information Exposure
    Summary
    The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.15.22 via the signature functionality. This makes it possible for unauthenticated attackers to extract sensitive data including user signatures.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    Impacted products
    Credits
    Tim Coen
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-2112",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-20T18:46:58.101859Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:29:48.676Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T19:03:38.662Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5652f9c3-3cc9-4541-8209-40117b4d25d9?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset?old_path=/form-maker/tags/1.15.22\u0026old=3057012\u0026new_path=/form-maker/tags/1.15.23\u0026new=3057012\u0026sfp_email=\u0026sfph_mail="
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder",
              "vendor": "10web",
              "versions": [
                {
                  "lessThanOrEqual": "1.15.22",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Tim Coen"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.15.22 via the signature functionality. This makes it possible for unauthenticated attackers to extract sensitive data including user signatures."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287 Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:53:39.391Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5652f9c3-3cc9-4541-8209-40117b4d25d9?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?old_path=/form-maker/tags/1.15.22\u0026old=3057012\u0026new_path=/form-maker/tags/1.15.23\u0026new=3057012\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-03-22T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder \u003c= 1.15.22 - Sensitive Information Exposure"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-2112",
        "datePublished": "2024-04-09T18:58:49.733Z",
        "dateReserved": "2024-03-01T18:53:50.776Z",
        "dateUpdated": "2026-04-08T16:53:39.391Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-0667 (GCVE-0-2024-0667)

    Vulnerability from nvd – Published: 2024-01-27 03:32 – Updated: 2026-04-08 17:26
    VLAI
    Title
    Form-Maker (twb_form-maker) <= 1.15.21 - Cross-Site Request Forgery to Limited Code Execution via Execute
    Summary
    The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.15.21. This is due to missing or incorrect nonce validation on the 'execute' function. This makes it possible for unauthenticated attackers to execute arbitrary methods in the 'BoosterController' class via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1078 - Inappropriate Source Code Style or Formatting
    Assigner
    Impacted products
    Credits
    David Jones
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T18:11:35.670Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d55c832b-f558-4e8a-8301-33dd38d39ef1?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.21/booster/controller.php#L34"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3027368%40form-maker\u0026new=3027368%40form-maker\u0026sfp_email=\u0026sfph_mail="
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-0667",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-01-27T16:07:04.571735Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-17T21:29:16.273Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder",
              "vendor": "10web",
              "versions": [
                {
                  "lessThanOrEqual": "1.15.21",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "David Jones"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.15.21. This is due to missing or incorrect nonce validation on the \u0027execute\u0027 function. This makes it possible for unauthenticated attackers to execute arbitrary methods in the \u0027BoosterController\u0027 class via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1078",
                  "description": "CWE-1078 Inappropriate Source Code Style or Formatting",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:26:08.060Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d55c832b-f558-4e8a-8301-33dd38d39ef1?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.21/booster/controller.php#L34"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3027368%40form-maker\u0026new=3027368%40form-maker\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-01-26T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Form-Maker (twb_form-maker) \u003c= 1.15.21 - Cross-Site Request Forgery to Limited Code Execution via Execute"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-0667",
        "datePublished": "2024-01-27T03:32:46.380Z",
        "dateReserved": "2024-01-17T20:10:05.656Z",
        "dateUpdated": "2026-04-08T17:26:08.060Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11776 (GCVE-0-2026-11776)

    Vulnerability from cvelistv5 – Published: 2026-06-18 04:31 – Updated: 2026-06-18 18:26
    VLAI
    Title
    Form Maker by 10Web <= 1.15.43 - Authenticated (Adminsitrator+) SQL Injection via 'groupids' Parameter
    Summary
    The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the 'groupids' parameter in all versions up to, and including, 1.15.43 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Credits
    Muhammad Arsalan Diponegoro
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11776",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-18T18:21:39.150284Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-18T18:26:17.993Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder",
              "vendor": "10web",
              "versions": [
                {
                  "lessThanOrEqual": "1.15.43",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Muhammad Arsalan Diponegoro"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the \u0027groupids\u0027 parameter in all versions up to, and including, 1.15.43 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-18T04:31:09.688Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b7850e73-8ffd-46d4-97c6-5343486a31dc?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.43/framework/WDW_FM_Library.php#L4748"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.43/framework/WDW_FM_Library.php#L4682"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.43/admin/controllers/Generete_csv.php#L33"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.43/form-maker.php#L873"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.41/framework/WDW_FM_Library.php#L4748"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.41/framework/WDW_FM_Library.php#L4682"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.41/admin/controllers/Generete_csv.php#L33"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.41/form-maker.php#L873"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3567408%40form-maker\u0026new=3567408%40form-maker\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-09T12:24:43.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-06-17T16:13:22.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Form Maker by 10Web \u003c= 1.15.43 - Authenticated (Adminsitrator+) SQL Injection via \u0027groupids\u0027 Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-11776",
        "datePublished": "2026-06-18T04:31:09.688Z",
        "dateReserved": "2026-06-09T12:09:35.358Z",
        "dateUpdated": "2026-06-18T18:26:17.993Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11777 (GCVE-0-2026-11777)

    Vulnerability from cvelistv5 – Published: 2026-06-18 04:31 – Updated: 2026-06-18 15:51
    VLAI
    Title
    Form Maker by 10Web <= 1.15.43 - Authenticated (Administrator+) SQL Injection via 'name' Parameter
    Summary
    The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the 'name' parameter in all versions up to, and including, 1.15.43 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Credits
    Muhammad Arsalan Diponegoro
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11777",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-18T15:51:24.472711Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-18T15:51:32.223Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder",
              "vendor": "10web",
              "versions": [
                {
                  "lessThanOrEqual": "1.15.43",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Muhammad Arsalan Diponegoro"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the \u0027name\u0027 parameter in all versions up to, and including, 1.15.43 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-18T04:31:08.180Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/513f407d-e90f-4fd1-82dd-c28bab9f76d0?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.43/admin/models/FMSelectDataFromDb.php#L94"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.43/admin/models/FMSelectDataFromDb.php#L88"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.43/admin/controllers/Select_data_from_db.php#L84"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.43/form-maker.php#L911"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.41/admin/models/FMSelectDataFromDb.php#L94"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.41/admin/models/FMSelectDataFromDb.php#L88"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.41/admin/controllers/Select_data_from_db.php#L84"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.41/form-maker.php#L911"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3567408%40form-maker\u0026new=3567408%40form-maker\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-09T12:25:42.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-06-17T16:12:22.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Form Maker by 10Web \u003c= 1.15.43 - Authenticated (Administrator+) SQL Injection via \u0027name\u0027 Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-11777",
        "datePublished": "2026-06-18T04:31:08.180Z",
        "dateReserved": "2026-06-09T12:10:32.626Z",
        "dateUpdated": "2026-06-18T15:51:32.223Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-3359 (GCVE-0-2026-3359)

    Vulnerability from cvelistv5 – Published: 2026-05-05 07:42 – Updated: 2026-05-06 12:37
    VLAI
    Title
    Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder <= 1.15.42 - Unauthenticated SQL Injection via 'inputs'
    Summary
    The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to SQL Injection via the 'inputs' parameter in versions up to, and including, 1.15.42 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Credits
    M Indra Purnama
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-3359",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-06T12:36:06.401408Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-06T12:37:03.067Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder",
              "vendor": "10web",
              "versions": [
                {
                  "lessThanOrEqual": "1.15.42",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "M Indra Purnama"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder plugin for WordPress is vulnerable to SQL Injection via the \u0027inputs\u0027 parameter in versions up to, and including, 1.15.42 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-05T07:42:06.700Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f37cc880-d8a4-431a-9639-abf01163030a?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3518461/form-maker"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-02-27T18:52:04.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-05-04T18:43:52.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder \u003c= 1.15.42 - Unauthenticated SQL Injection via \u0027inputs\u0027"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-3359",
        "datePublished": "2026-05-05T07:42:06.700Z",
        "dateReserved": "2026-02-27T18:36:25.127Z",
        "dateUpdated": "2026-05-06T12:37:03.067Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-3330 (GCVE-0-2026-3330)

    Vulnerability from cvelistv5 – Published: 2026-04-17 03:36 – Updated: 2026-04-17 11:15
    VLAI
    Title
    Form Maker by 10Web <= 1.15.40 - Authenticated (Administrator+) SQL Injection via 'ip_search' Parameter
    Summary
    The Form Maker by 10Web plugin for WordPress is vulnerable to SQL Injection via the 'ip_search', 'startdate', 'enddate', 'username_search', and 'useremail_search' parameters in all versions up to, and including, 1.15.40. This is due to the `WDW_FM_Library::validate_data()` method calling `stripslashes()` on user input (removing WordPress's `wp_magic_quotes()` protection) and the `FMModelSubmissions_fm::get_labels_parameters()` function directly concatenating user-supplied values into SQL queries without using `$wpdb->prepare()`. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Additionally, the Submissions controller skips nonce verification for the `display` task, which means this vulnerability can be triggered via CSRF by tricking an administrator into clicking a crafted link.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Credits
    Sein Linn
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-3330",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-17T11:15:17.474910Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-17T11:15:39.808Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder",
              "vendor": "10web",
              "versions": [
                {
                  "lessThanOrEqual": "1.15.40",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sein Linn"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Form Maker by 10Web plugin for WordPress is vulnerable to SQL Injection via the \u0027ip_search\u0027, \u0027startdate\u0027, \u0027enddate\u0027, \u0027username_search\u0027, and \u0027useremail_search\u0027 parameters in all versions up to, and including, 1.15.40. This is due to the `WDW_FM_Library::validate_data()` method calling `stripslashes()` on user input (removing WordPress\u0027s `wp_magic_quotes()` protection) and the `FMModelSubmissions_fm::get_labels_parameters()` function directly concatenating user-supplied values into SQL queries without using `$wpdb-\u003eprepare()`. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Additionally, the Submissions controller skips nonce verification for the `display` task, which means this vulnerability can be triggered via CSRF by tricking an administrator into clicking a crafted link."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-17T03:36:43.818Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5e383b8a-27e5-4b35-8d11-6e4102255d44?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.22/admin/models/Submissions_fm.php#L154"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/trunk/admin/models/Submissions_fm.php#L154"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.22/framework/WDW_FM_Library.php#L415"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/trunk/framework/WDW_FM_Library.php#L415"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.22/admin/controllers/Submissions_fm.php#L84"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/trunk/admin/controllers/Submissions_fm.php#L84"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3501693%40form-maker\u0026new=3501693%40form-maker\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-02-27T14:54:41.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-04-16T15:04:04.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Form Maker by 10Web \u003c= 1.15.40 - Authenticated (Administrator+) SQL Injection via \u0027ip_search\u0027 Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-3330",
        "datePublished": "2026-04-17T03:36:43.818Z",
        "dateReserved": "2026-02-27T14:37:55.825Z",
        "dateUpdated": "2026-04-17T11:15:39.808Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-4388 (GCVE-0-2026-4388)

    Vulnerability from cvelistv5 – Published: 2026-04-14 02:25 – Updated: 2026-04-14 14:04
    VLAI
    Title
    Form Maker by 10Web <= 1.15.40 - Unauthenticated Stored Cross-Site Scripting via Matrix Field Text Box
    Summary
    The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Matrix field (Text Box input type) in form submissions in all versions up to, and including, 1.15.40. This is due to insufficient input sanitization (`sanitize_text_field` strips tags but not quotes) and missing output escaping when rendering submission data in the admin Submissions view. This makes it possible for unauthenticated attackers to inject arbitrary JavaScript through a form submission that executes in the browser of an administrator who views the submission details.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Naoya Takahashi
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-4388",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-14T14:02:24.488962Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-14T14:04:52.784Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder",
              "vendor": "10web",
              "versions": [
                {
                  "lessThanOrEqual": "1.15.40",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Naoya Takahashi"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Matrix field (Text Box input type) in form submissions in all versions up to, and including, 1.15.40. This is due to insufficient input sanitization (`sanitize_text_field` strips tags but not quotes) and missing output escaping when rendering submission data in the admin Submissions view. This makes it possible for unauthenticated attackers to inject arbitrary JavaScript through a form submission that executes in the browser of an administrator who views the submission details."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-14T02:25:48.339Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/197449f5-9304-49df-9261-a354145fc00e?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.37/admin/views/FormMakerSubmits.php#L169"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.37/admin/views/FormMakerSubmits.php#L166"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.37/frontend/models/form_maker.php#L2352"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3501693%40form-maker%2Ftrunk\u0026old=3492680%40form-maker%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-03-18T14:25:04.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-04-13T13:52:02.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Form Maker by 10Web \u003c= 1.15.40 - Unauthenticated Stored Cross-Site Scripting via Matrix Field Text Box"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-4388",
        "datePublished": "2026-04-14T02:25:48.339Z",
        "dateReserved": "2026-03-18T14:09:39.621Z",
        "dateUpdated": "2026-04-14T14:04:52.784Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-1058 (GCVE-0-2026-1058)

    Vulnerability from cvelistv5 – Published: 2026-02-03 06:38 – Updated: 2026-04-08 17:28
    VLAI
    Title
    Form Maker by 10Web <= 1.15.35 - Unauthenticated Stored Cross-Site Scripting via Hidden Field
    Summary
    The Form Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via hidden field values in all versions up to, and including, 1.15.35. This is due to insufficient output escaping when displaying hidden field values in the admin submissions list. The plugin uses html_entity_decode() on user-supplied hidden field values without subsequent escaping before output, which converts HTML entity-encoded payloads back into executable JavaScript. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in the admin submissions view that will execute whenever an administrator accesses the submissions list.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Supakiad S.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-1058",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-03T15:25:59.393794Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-03T15:30:21.249Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder",
              "vendor": "10web",
              "versions": [
                {
                  "lessThanOrEqual": "1.15.35",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Supakiad S."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Form Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via hidden field values in all versions up to, and including, 1.15.35. This is due to insufficient output escaping when displaying hidden field values in the admin submissions list. The plugin uses html_entity_decode() on user-supplied hidden field values without subsequent escaping before output, which converts HTML entity-encoded payloads back into executable JavaScript. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in the admin submissions view that will execute whenever an administrator accesses the submissions list."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:28:49.695Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e0ec0027-2792-4069-b413-8fdd951f5fe7?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.34/admin/views/Submissions_fm.php#L759"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3447011%40form-maker%2Ftrunk\u0026old=3440395%40form-maker%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-01-16T18:36:05.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-02-02T18:21:06.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Form Maker by 10Web \u003c= 1.15.35 - Unauthenticated Stored Cross-Site Scripting via Hidden Field"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-1058",
        "datePublished": "2026-02-03T06:38:05.509Z",
        "dateReserved": "2026-01-16T18:20:44.141Z",
        "dateUpdated": "2026-04-08T17:28:49.695Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-1065 (GCVE-0-2026-1065)

    Vulnerability from cvelistv5 – Published: 2026-02-03 06:38 – Updated: 2026-04-08 17:03
    VLAI
    Title
    Form Maker by 10Web <= 1.15.35 - Unauthenticated Stored Cross-Site Scripting via SVG file
    Summary
    The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.15.35. This is due to the plugin's default file upload allowlist including SVG files combined with weak substring-based extension validation. This makes it possible for unauthenticated attackers to upload malicious SVG files containing JavaScript code that will execute when viewed by administrators or site visitors via file upload fields in forms granted they can submit forms.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    Impacted products
    Credits
    Supakiad S.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-1065",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-03T15:29:03.731766Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-03T15:30:36.400Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder",
              "vendor": "10web",
              "versions": [
                {
                  "lessThanOrEqual": "1.15.35",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Supakiad S."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.15.35. This is due to the plugin\u0027s default file upload allowlist including SVG files combined with weak substring-based extension validation. This makes it possible for unauthenticated attackers to upload malicious SVG files containing JavaScript code that will execute when viewed by administrators or site visitors via file upload fields in forms granted they can submit forms."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:03:54.659Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8230d5f8-01d9-465a-8a43-e9852248bb3d?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.34/js/add_field.js#L2364"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.34/frontend/models/form_maker.php#L1744"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.34/frontend/models/form_maker.php#L1855"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3447011%40form-maker%2Ftrunk\u0026old=3440395%40form-maker%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-01-16T19:31:56.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-02-02T18:12:37.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Form Maker by 10Web \u003c= 1.15.35 - Unauthenticated Stored Cross-Site Scripting via SVG file"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-1065",
        "datePublished": "2026-02-03T06:38:04.369Z",
        "dateReserved": "2026-01-16T19:16:43.079Z",
        "dateUpdated": "2026-04-08T17:03:54.659Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-5020 (GCVE-0-2024-5020)

    Vulnerability from cvelistv5 – Published: 2024-12-04 08:22 – Updated: 2026-04-08 17:27
    VLAI
    Title
    Multiple Plugins <= (Various Versions) - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via FancyBox JavaScript Library
    Summary
    Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled FancyBox JavaScript library (versions 1.3.4 to 3.5.7) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    extendthemes Colibri Page Builder Affected: 0 , ≤ 1.0.286 (semver)
    Create a notification for this product.
    smub Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More Affected: 0 , ≤ 1.8.15 (semver)
    Create a notification for this product.
    bqworks Accordion Slider Affected: 0 , ≤ 1.9.12 (semver)
    Create a notification for this product.
    10web Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder Affected: 0 , ≤ 1.15.27 (semver)
    Create a notification for this product.
    jetmonsters Getwid – Gutenberg Blocks Affected: 0 , ≤ 2.0.11 (semver)
    Create a notification for this product.
    firelightwp Firelight Lightbox Affected: 0 , ≤ 2.3.3 (semver)
    Create a notification for this product.
    dfactory Responsive Lightbox & Gallery Affected: 0 , ≤ 2.4.8 (semver)
    Create a notification for this product.
    shapedplugin Carousel, Slider, Photo Gallery with Lightbox, Video Slider, by WP Carousel Affected: 0 , ≤ 2.6.8 (semver)
    Create a notification for this product.
    colorlibplugins FancyBox for WordPress Affected: 0 , ≤ 3.3.4 (semver)
    Create a notification for this product.
    nko Visual Portfolio, Photo Gallery & Post Grid Affected: 0 , ≤ 3.3.9 (semver)
    Create a notification for this product.
    smub Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery Affected: 0 , ≤ 3.59.4 (semver)
    Create a notification for this product.
    wpclever WPC Smart Quick View for WooCommerce Affected: 0 , ≤ 4.1.1 (semver)
    Create a notification for this product.
    posimyththemes Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder Affected: 0 , ≤ 4.3.1 (semver)
    Create a notification for this product.
    Easy Social Feed Easy Social Feed Premium Affected: 0 , ≤ 6.6.2 (semver)
    Create a notification for this product.
    foliovision FV Flowplayer Video Player Affected: 0 , ≤ 7.5.47.7212 (semver)
    Create a notification for this product.
    Credits
    Craig Smith
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-5020",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-04T14:02:27.273797Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-04T14:09:09.188Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Colibri Page Builder",
              "vendor": "extendthemes",
              "versions": [
                {
                  "lessThanOrEqual": "1.0.286",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Envira Gallery \u2013 Image Photo Gallery, Albums, Video Gallery, Slideshows \u0026 More",
              "vendor": "smub",
              "versions": [
                {
                  "lessThanOrEqual": "1.8.15",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Accordion Slider",
              "vendor": "bqworks",
              "versions": [
                {
                  "lessThanOrEqual": "1.9.12",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder",
              "vendor": "10web",
              "versions": [
                {
                  "lessThanOrEqual": "1.15.27",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Getwid \u2013 Gutenberg Blocks",
              "vendor": "jetmonsters",
              "versions": [
                {
                  "lessThanOrEqual": "2.0.11",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Firelight Lightbox",
              "vendor": "firelightwp",
              "versions": [
                {
                  "lessThanOrEqual": "2.3.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Responsive Lightbox \u0026 Gallery",
              "vendor": "dfactory",
              "versions": [
                {
                  "lessThanOrEqual": "2.4.8",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Carousel, Slider, Photo Gallery with Lightbox, Video Slider, by WP Carousel",
              "vendor": "shapedplugin",
              "versions": [
                {
                  "lessThanOrEqual": "2.6.8",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "FancyBox for WordPress",
              "vendor": "colorlibplugins",
              "versions": [
                {
                  "lessThanOrEqual": "3.3.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Visual Portfolio, Photo Gallery \u0026 Post Grid",
              "vendor": "nko",
              "versions": [
                {
                  "lessThanOrEqual": "3.3.9",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Photo Gallery, Sliders, Proofing and Themes \u2013 NextGEN Gallery",
              "vendor": "smub",
              "versions": [
                {
                  "lessThanOrEqual": "3.59.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WPC Smart Quick View for WooCommerce",
              "vendor": "wpclever",
              "versions": [
                {
                  "lessThanOrEqual": "4.1.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Nexter Blocks \u2013 Gutenberg Blocks, Page Builder \u0026 AI Website Builder",
              "vendor": "posimyththemes",
              "versions": [
                {
                  "lessThanOrEqual": "4.3.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Easy Social Feed Premium",
              "vendor": "Easy Social Feed",
              "versions": [
                {
                  "lessThanOrEqual": "6.6.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "FV Flowplayer Video Player",
              "vendor": "foliovision",
              "versions": [
                {
                  "lessThanOrEqual": "7.5.47.7212",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Craig Smith"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin\u0027s bundled FancyBox JavaScript library (versions 1.3.4 to 3.5.7) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:27:10.759Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d99d4b9a-aa09-434d-91a8-7afaa0e8b5db?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3150376/woo-smart-quick-view"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3153081/colibri-page-builder"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3157076/nextgen-gallery"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3158415/envira-gallery-lite"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3156791/form-maker"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3160432/visual-portfolio"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3161422/fv-wordpress-flowplayer"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3160232/easy-fancybox"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3161892/wp-carousel-free"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3173097/responsive-lightbox"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3175577%40getwid%2Ftrunk\u0026old=3119180%40getwid%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3186301%40fancybox-for-wordpress%2Ftrunk\u0026old=3058912%40fancybox-for-wordpress%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3169926/accordion-slider"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3306189%40the-plus-addons-for-block-editor\u0026new=3306189%40the-plus-addons-for-block-editor\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-06-13T17:22:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2024-12-03T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Multiple Plugins \u003c= (Various Versions) - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via FancyBox JavaScript Library"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-5020",
        "datePublished": "2024-12-04T08:22:46.855Z",
        "dateReserved": "2024-05-16T16:50:11.363Z",
        "dateUpdated": "2026-04-08T17:27:10.759Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-10265 (GCVE-0-2024-10265)

    Vulnerability from cvelistv5 – Published: 2024-11-10 12:30 – Updated: 2026-04-08 16:35
    VLAI
    Title
    Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder <= 1.15.30 - Reflected Cross-Site Scripting via add_query_arg Parameter
    Summary
    The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.15.30. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    vgo0
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-10265",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-11T11:48:32.094450Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-11T11:48:50.475Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder",
              "vendor": "10web",
              "versions": [
                {
                  "lessThanOrEqual": "1.15.30",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "vgo0"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.15.30. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:35:49.711Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0fb1a2c2-581d-47ed-a180-9f70fdf79066?source=cve"
            },
            {
              "url": "https://wordpress.org/plugins/form-maker/#developers"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/trunk/wd/includes/notices.php#L199"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3183170/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-11-10T00:07:43.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder \u003c= 1.15.30 - Reflected Cross-Site Scripting via add_query_arg Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-10265",
        "datePublished": "2024-11-10T12:30:34.046Z",
        "dateReserved": "2024-10-22T21:27:50.370Z",
        "dateUpdated": "2026-04-08T16:35:49.711Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-8633 (GCVE-0-2024-8633)

    Vulnerability from cvelistv5 – Published: 2024-09-26 11:32 – Updated: 2026-04-08 16:43
    VLAI
    Title
    Form Maker <= 1.15.27 - Authenticated (Administrator+) Stored Cross-Site Scripting
    Summary
    The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.15.27 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Joel Indra
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8633",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-26T12:59:51.877806Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-26T13:00:04.135Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder",
              "vendor": "10web",
              "versions": [
                {
                  "lessThanOrEqual": "1.15.27",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Joel Indra"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.15.27 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:43:39.596Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2b32cc12-c8d5-40b8-9510-42699beec581?source=cve"
            },
            {
              "url": "https://wordpress.org/plugins/form-maker/#developers"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3156791/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-09-25T23:14:51.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Form Maker \u003c= 1.15.27 - Authenticated (Administrator+) Stored Cross-Site Scripting"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-8633",
        "datePublished": "2024-09-26T11:32:38.668Z",
        "dateReserved": "2024-09-09T21:45:49.230Z",
        "dateUpdated": "2026-04-08T16:43:39.596Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-2258 (GCVE-0-2024-2258)

    Vulnerability from cvelistv5 – Published: 2024-04-27 03:33 – Updated: 2026-04-08 17:15
    VLAI
    Title
    Form Maker by 10Web <= 1.15.24 - Authenticated (Subscriber+) Stored Self-Based Cross-Site Scripting
    Summary
    The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a user's display name autofilled into forms in all versions up to, and including, 1.15.24 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    10web Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder Affected: 0 , ≤ 1.15.24 (semver)
    Create a notification for this product.
    wordpress form_maker_by_10web Affected: - , ≤ 1.15.24 (custom)
        cpe:2.3:a:wordpress:form_maker_by_10web:-:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Matthew Rollings
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:wordpress:form_maker_by_10web:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "form_maker_by_10web",
                "vendor": "wordpress",
                "versions": [
                  {
                    "lessThanOrEqual": "1.15.24",
                    "status": "affected",
                    "version": "-",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-2258",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-01T15:44:25.877484Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:30:27.169Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T19:03:39.193Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/af1075a5-9efa-4b86-9798-6dbafcba4db5?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/3071515"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder",
              "vendor": "10web",
              "versions": [
                {
                  "lessThanOrEqual": "1.15.24",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Matthew Rollings"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a user\u0027s display name autofilled into forms in all versions up to, and including, 1.15.24 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:15:29.153Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/af1075a5-9efa-4b86-9798-6dbafcba4db5?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3071515"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-04-26T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Form Maker by 10Web \u003c= 1.15.24 - Authenticated (Subscriber+) Stored Self-Based Cross-Site Scripting"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-2258",
        "datePublished": "2024-04-27T03:33:35.216Z",
        "dateReserved": "2024-03-07T09:55:25.687Z",
        "dateUpdated": "2026-04-08T17:15:29.153Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-2112 (GCVE-0-2024-2112)

    Vulnerability from cvelistv5 – Published: 2024-04-09 18:58 – Updated: 2026-04-08 16:53
    VLAI
    Title
    Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder <= 1.15.22 - Sensitive Information Exposure
    Summary
    The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.15.22 via the signature functionality. This makes it possible for unauthenticated attackers to extract sensitive data including user signatures.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    Impacted products
    Credits
    Tim Coen
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-2112",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-20T18:46:58.101859Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:29:48.676Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T19:03:38.662Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5652f9c3-3cc9-4541-8209-40117b4d25d9?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset?old_path=/form-maker/tags/1.15.22\u0026old=3057012\u0026new_path=/form-maker/tags/1.15.23\u0026new=3057012\u0026sfp_email=\u0026sfph_mail="
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder",
              "vendor": "10web",
              "versions": [
                {
                  "lessThanOrEqual": "1.15.22",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Tim Coen"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.15.22 via the signature functionality. This makes it possible for unauthenticated attackers to extract sensitive data including user signatures."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287 Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:53:39.391Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5652f9c3-3cc9-4541-8209-40117b4d25d9?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?old_path=/form-maker/tags/1.15.22\u0026old=3057012\u0026new_path=/form-maker/tags/1.15.23\u0026new=3057012\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-03-22T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder \u003c= 1.15.22 - Sensitive Information Exposure"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-2112",
        "datePublished": "2024-04-09T18:58:49.733Z",
        "dateReserved": "2024-03-01T18:53:50.776Z",
        "dateUpdated": "2026-04-08T16:53:39.391Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-0667 (GCVE-0-2024-0667)

    Vulnerability from cvelistv5 – Published: 2024-01-27 03:32 – Updated: 2026-04-08 17:26
    VLAI
    Title
    Form-Maker (twb_form-maker) <= 1.15.21 - Cross-Site Request Forgery to Limited Code Execution via Execute
    Summary
    The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.15.21. This is due to missing or incorrect nonce validation on the 'execute' function. This makes it possible for unauthenticated attackers to execute arbitrary methods in the 'BoosterController' class via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1078 - Inappropriate Source Code Style or Formatting
    Assigner
    Impacted products
    Credits
    David Jones
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T18:11:35.670Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d55c832b-f558-4e8a-8301-33dd38d39ef1?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.21/booster/controller.php#L34"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3027368%40form-maker\u0026new=3027368%40form-maker\u0026sfp_email=\u0026sfph_mail="
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-0667",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-01-27T16:07:04.571735Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-17T21:29:16.273Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder",
              "vendor": "10web",
              "versions": [
                {
                  "lessThanOrEqual": "1.15.21",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "David Jones"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.15.21. This is due to missing or incorrect nonce validation on the \u0027execute\u0027 function. This makes it possible for unauthenticated attackers to execute arbitrary methods in the \u0027BoosterController\u0027 class via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1078",
                  "description": "CWE-1078 Inappropriate Source Code Style or Formatting",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:26:08.060Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d55c832b-f558-4e8a-8301-33dd38d39ef1?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.21/booster/controller.php#L34"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3027368%40form-maker\u0026new=3027368%40form-maker\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-01-26T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Form-Maker (twb_form-maker) \u003c= 1.15.21 - Cross-Site Request Forgery to Limited Code Execution via Execute"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-0667",
        "datePublished": "2024-01-27T03:32:46.380Z",
        "dateReserved": "2024-01-17T20:10:05.656Z",
        "dateUpdated": "2026-04-08T17:26:08.060Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }