These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the 'name' parameter in all versions up to, and including, 1.15.43. The vulnerability exists due to insufficient escaping of the user-supplied 'name' parameter and inadequate preparation of existing SQL queries. This allows authenticated attackers with administrator-le [truncated]
The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the 'groupids' parameter in all versions up to, and including, 1.15.43. This vulnerability exists due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. As a result, authenticated attackers with adminis [truncated]
CVE-2026-39502 is a critical vulnerability in the Form Maker by 10Web plugin for WordPress, affecting versions up to and including 1.15.38. This vulnerability, with a CVSS score of 9.3, allows unauthenticated SQL injection attacks. The vulnerability was published on [cvePublishedAt] and last modified on [cveModifiedAt].
The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to time-based SQL Injection via 'compact_album_order_by' Shortcode Parameter in all versions up to, and including, 1.8.41. This vulnerability is due to insufficient escaping on the user-supplied parameter and a lack of sufficient preparation on the existing SQL query. Authenticated attackers with contributor-leve [truncated]
A Blind SQL Injection vulnerability was discovered in the Photo Gallery by 10Web plugin, affecting versions from n/a through 1.8.41. This issue, tracked as CVE-2026-49771, has a CVSS score of 7.6 and is classified as HIGH severity. The vulnerability allows for Blind SQL Injection attacks, which can potentially lead to unauthorized access to sensitive data. The issue was published on [cvePublishedAt] and l [truncated]
A time-based blind SQL injection vulnerability exists in the Photo Gallery by 10Web WordPress plugin. The flaw resides in the 'order_by' parameter where insufficient escaping and lack of query preparation allow authenticated attackers with contributor-level access or higher to inject malicious SQL. Attackers can exploit this by embedding a crafted shortcode in posts or drafts, which executes injected SQL [truncated]
CVE-2018-25346 documents SQL injection vulnerabilities in WordPress Form Maker Plugin versions 1.12.24 and below. The vulnerability allows authenticated attackers to manipulate database queries by injecting SQL code through the FormMakerSQLMapping and generete_csv actions via POST requests containing malicious payloads in the name and search_labels parameters. This enables database extraction, modificatio [truncated]