PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-11777 10web CVE debrief

The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the 'name' parameter in all versions up to, and including, 1.15.43. The vulnerability exists due to insufficient escaping of the user-supplied 'name' parameter and inadequate preparation of existing SQL queries. This allows authenticated attackers with administrator-level access to append additional SQL queries to existing ones, potentially leading to sensitive information extraction from the database. The debrief highlights the need for immediate attention to prevent potential SQL injection attacks.

Vendor
10web
Product
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
CVSS
MEDIUM 4.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-18
Original CVE updated
2026-06-18
Advisory published
2026-06-18
Advisory updated
2026-06-18

Who should care

Administrators of WordPress installations using the Form Maker by 10Web plugin should prioritize updating to a patched version to prevent potential SQL injection attacks. Additionally, security teams and vulnerability management teams should be aware of the vulnerability and take necessary steps to mitigate the risk.

Technical summary

The vulnerability exists in the Form Maker by 10Web plugin due to insufficient escaping of the user-supplied 'name' parameter and inadequate preparation of existing SQL queries. This allows authenticated attackers with administrator-level access to append additional SQL queries to existing ones, potentially leading to sensitive information extraction from the database. The technical summary emphasizes the importance of updating the plugin to a version that addresses the SQL injection vulnerability.

Defensive priority

High priority should be given to updating the Form Maker by 10Web plugin to a version that addresses the SQL injection vulnerability, as it can be exploited by authenticated administrators to extract sensitive data.

Recommended defensive actions

  • Update the Form Maker by 10Web plugin to a patched version.
  • Implement additional monitoring to detect potential SQL injection attempts.
  • Restrict administrator access to only those who require it.
  • Regularly review and update all plugins and themes on the WordPress installation.
  • Verify the vulnerability with official sources and check for any additional information that may be available.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.

Evidence notes

The CVE record was published on 2026-06-18T06:16:57.320Z and was last modified on 2026-06-18T17:16:27.813Z. The NVD entry is currently Deferred. The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the 'name' parameter in all versions up to, and including, 1.15.43 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Evidence limits suggest verifying the vulnerability with official sources and checking for any additional information that may be available.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-18T06:16:57.320Z and has not been modified since then. The NVD entry is currently Deferred.