PatchSiren cyber security CVE debrief
CVE-2026-11777 10web CVE debrief
The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the 'name' parameter in all versions up to, and including, 1.15.43. The vulnerability exists due to insufficient escaping of the user-supplied 'name' parameter and inadequate preparation of existing SQL queries. This allows authenticated attackers with administrator-level access to append additional SQL queries to existing ones, potentially leading to sensitive information extraction from the database. The debrief highlights the need for immediate attention to prevent potential SQL injection attacks.
- Vendor
- 10web
- Product
- Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
- CVSS
- MEDIUM 4.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-18
- Original CVE updated
- 2026-06-18
- Advisory published
- 2026-06-18
- Advisory updated
- 2026-06-18
Who should care
Administrators of WordPress installations using the Form Maker by 10Web plugin should prioritize updating to a patched version to prevent potential SQL injection attacks. Additionally, security teams and vulnerability management teams should be aware of the vulnerability and take necessary steps to mitigate the risk.
Technical summary
The vulnerability exists in the Form Maker by 10Web plugin due to insufficient escaping of the user-supplied 'name' parameter and inadequate preparation of existing SQL queries. This allows authenticated attackers with administrator-level access to append additional SQL queries to existing ones, potentially leading to sensitive information extraction from the database. The technical summary emphasizes the importance of updating the plugin to a version that addresses the SQL injection vulnerability.
Defensive priority
High priority should be given to updating the Form Maker by 10Web plugin to a version that addresses the SQL injection vulnerability, as it can be exploited by authenticated administrators to extract sensitive data.
Recommended defensive actions
- Update the Form Maker by 10Web plugin to a patched version.
- Implement additional monitoring to detect potential SQL injection attempts.
- Restrict administrator access to only those who require it.
- Regularly review and update all plugins and themes on the WordPress installation.
- Verify the vulnerability with official sources and check for any additional information that may be available.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
Evidence notes
The CVE record was published on 2026-06-18T06:16:57.320Z and was last modified on 2026-06-18T17:16:27.813Z. The NVD entry is currently Deferred. The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the 'name' parameter in all versions up to, and including, 1.15.43 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Evidence limits suggest verifying the vulnerability with official sources and checking for any additional information that may be available.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-18T06:16:57.320Z and has not been modified since then. The NVD entry is currently Deferred.