CVE-2018-25346 HIGH

CVE-2018-25346: WordPress Form Maker Plugin 1.12.24 SQL Injection via admin-ajax.php

Vendor 10Web

Product Form Maker

Weakness CWE-89 · SQLi

Published May 23, 2026

Last update May 26, 2026

View on NVD All CVEs

CVSS base score

7.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

Description

WordPress Form Maker Plugin 1.12.24 and below contains SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries by injecting SQL code through the FormMakerSQLMapping and generete_csv actions. Attackers can submit POST requests with malicious SQL payloads in the name and search_labels parameters to extract, modify, or escalate privileges within the WordPress database.

Key dates

Disclosure timeline

May 23, 2026 CVE published

May 26, 2026 Record updated