PatchSiren cyber security CVE debrief
CVE-2018-25346 10Web CVE debrief
CVE-2018-25346 documents SQL injection vulnerabilities in WordPress Form Maker Plugin versions 1.12.24 and below. The vulnerability allows authenticated attackers to manipulate database queries by injecting SQL code through the FormMakerSQLMapping and generete_csv actions via POST requests containing malicious payloads in the name and search_labels parameters. This enables database extraction, modification, or privilege escalation. The CVE was published on 2026-05-23 and modified on 2026-05-26. The vulnerability is classified as HIGH severity with a CVSS score of 7.1 and maps to CWE-89 (SQL Injection). The vendor attribution remains uncertain with low confidence, flagged for review. No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA KEV.
- Vendor
- 10Web
- Product
- Form Maker
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-23
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-23
- Advisory updated
- 2026-05-26
Who should care
WordPress site administrators using Form Maker Plugin, security teams managing WordPress installations, web application security assessors, and organizations relying on form builder plugins for data collection
Technical summary
Authenticated SQL injection in WordPress Form Maker Plugin ≤1.12.24 via FormMakerSQLMapping and generete_csv actions. Attackers inject malicious SQL through name and search_labels POST parameters to manipulate database queries. CVSS 7.1 HIGH severity. Patch by upgrading plugin version.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade WordPress Form Maker Plugin to a version newer than 1.12.24
- Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns in POST requests to admin-ajax.php
- Review and restrict administrative access to WordPress installations using this plugin
- Monitor database query logs for anomalous SQL patterns indicative of injection attempts
- Conduct security assessment of all WordPress plugins for similar input validation weaknesses
Evidence notes
Vulnerability confirmed via NVD with CVSS 4.0 vector. Exploit-DB reference 44853 and VulnCheck advisory provide technical disclosure. Vendor attribution marked as low confidence requiring review.
Official resources
SQL injection vulnerabilities in WordPress Form Maker Plugin 1.12.24 and below allow authenticated attackers to inject malicious SQL payloads through the FormMakerSQLMapping and generete_csv actions, potentially enabling unauthorized data访问