PatchSiren

10web CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM 10web CVE published 2026-06-18

CVE-2026-11777

The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the 'name' parameter in all versions up to, and including, 1.15.43. The vulnerability exists due to insufficient escaping of the user-supplied 'name' parameter and inadequate preparation of existing SQL queries. This allows authenticated attackers with administrator-le [truncated]

MEDIUM 10web CVE published 2026-06-18

CVE-2026-11776

The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the 'groupids' parameter in all versions up to, and including, 1.15.43. This vulnerability exists due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. As a result, authenticated attackers with adminis [truncated]

CRITICAL 10Web CVE published 2026-06-15

CVE-2026-39502

CVE-2026-39502 is a critical vulnerability in the Form Maker by 10Web plugin for WordPress, affecting versions up to and including 1.15.38. This vulnerability, with a CVSS score of 9.3, allows unauthenticated SQL injection attacks. The vulnerability was published on [cvePublishedAt] and last modified on [cveModifiedAt].

MEDIUM 10web CVE published 2026-06-06

CVE-2026-9829

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to time-based SQL Injection via 'compact_album_order_by' Shortcode Parameter in all versions up to, and including, 1.8.41. This vulnerability is due to insufficient escaping on the user-supplied parameter and a lack of sufficient preparation on the existing SQL query. Authenticated attackers with contributor-leve [truncated]

HIGH 10Web CVE published 2026-06-04

CVE-2026-49771

A Blind SQL Injection vulnerability was discovered in the Photo Gallery by 10Web plugin, affecting versions from n/a through 1.8.41. This issue, tracked as CVE-2026-49771, has a CVSS score of 7.6 and is classified as HIGH severity. The vulnerability allows for Blind SQL Injection attacks, which can potentially lead to unauthorized access to sensitive data. The issue was published on [cvePublishedAt] and l [truncated]

MEDIUM 10web CVE published 2026-05-28

CVE-2026-7048

A time-based blind SQL injection vulnerability exists in the Photo Gallery by 10Web WordPress plugin. The flaw resides in the 'order_by' parameter where insufficient escaping and lack of query preparation allow authenticated attackers with contributor-level access or higher to inject malicious SQL. Attackers can exploit this by embedding a crafted shortcode in posts or drafts, which executes injected SQL [truncated]

HIGH 10Web CVE published 2026-05-23

CVE-2018-25346

CVE-2018-25346 documents SQL injection vulnerabilities in WordPress Form Maker Plugin versions 1.12.24 and below. The vulnerability allows authenticated attackers to manipulate database queries by injecting SQL code through the FormMakerSQLMapping and generete_csv actions via POST requests containing malicious payloads in the name and search_labels parameters. This enables database extraction, modificatio [truncated]