CVE-2025-15441 PUBLISHED

Form Maker < 1.15.38 - SQL Injection

Assigner: WPScan
Reserved: 02.01.2026 Published: 13.04.2026 Updated: 13.04.2026

The Form Maker by 10Web WordPress plugin before 1.15.38 does not properly prepare SQL queries when the "MySQL Mapping" feature is in use, which could make SQL Injection attacks possible in certain contexts.

Product Status

Vendor	Unknown
Product	Form Maker by 10Web
Versions	Default: unaffected affected from 0 to 1.15.38 (excl.)

Credits

hiariz finder
WPScan coordinator

References

https://wpscan.com/vulnerability/41f69b0a-4d17-4a6b-b803-ea1c370e3cc0/

Problem Types

CWE-89 SQL Injection CWE