Security Alert Summary
The Form Maker by 10Web WordPress plugin contains a SQL injection weakness when its “MySQL Mapping” feature is used. The plugin does not properly prepare SQL queries in those contexts, which could allow an attacker to perform SQL injection and expose confidential data.
CVE Details
- CVE ID: CVE-2025-15441
- Affected component: The Form Maker by 10Web WordPress plugin
- Affected versions: Versions before 1.15.38
- Published: April 13, 2026 at 07:16:07 AM UTC
- Last modified: April 13, 2026 at 04:16:23 PM UTC
- CVSS v3.1 base score: 6.8 (MEDIUM)
- Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N - Authentication / privileges / user interaction: No privileges required (PR:N); no user interaction required (UI:N); attack complexity is high (AC:H); attack vector is network (AV:N); scope is changed (S:C).
- Impact: Confidentiality: High; Integrity: None; Availability: None
- Weakness (CWE): CWE-89 (SQL Injection)
Technical Details
The plugin does not properly prepare SQL queries when the “MySQL Mapping” feature is in use. Because queries are not prepared or properly parameterized in those code paths, user-supplied input used by the MySQL Mapping functionality can lead to SQL injection in certain contexts. The CVE description indicates the flaw is specific to use of the MySQL Mapping feature and relates to incorrectly handled SQL preparation.
Impact is limited to disclosure of data according to the CVSS metrics: confidentiality is affected while integrity and availability are not indicated as impacted. The vulnerability does not, in the provided data, specify particular functions, hooks, or REST endpoints beyond the “MySQL Mapping” feature name.
How This Could Impact Your Website
Consider a small organization running Form Maker with internal staff and external contributors: a site owner maintains the installation, editors manage content, and external contractors help configure forms. If the MySQL Mapping feature is enabled and an attacker can trigger the vulnerable query paths, confidential data stored in the database could be exposed. That might include internal user email addresses, form submission contents, or other sensitive records referenced by the affected queries.
Exposed email addresses and form data increase the risk of targeted phishing or social engineering against staff or customers. If you rely on third-party contractors who have access to form configuration, those accounts could be used to change settings that enable the vulnerable feature.
professional review: If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributor-level access and accounts with form configuration permissions.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Disable or remove the MySQL Mapping feature if it is not required, or remove unused or unmaintained plugins.
- Monitor site activity and database access logs for unusual queries or data exfiltration attempts.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
