CVE-2018-25346: WordPress Form Maker Plugin 1.12.24 SQL Injection via admin-ajax.php
WordPress Form Maker Plugin 1.12.24 and below contains SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries by injecting SQL code through the FormMakerSQLMapping and generete_csv actions. Attackers can submit POST requests with malicious SQL payloads in the name and search_labels parameters to extract, modify, or escalate privileges within the WordPress database.
Security readout for executives and security teams
Plain-English summary
A flaw in the WordPress Form Maker plugin (version 1.12.24 and earlier) lets logged-in users tamper with the site's database through the plugin's form-handling endpoints. On sites where low-privilege accounts exist, an insider or account-holder could read sensitive data or alter records, potentially leading to broader site takeover.
Executive priority
Treat as a priority patch on any WordPress property using Form Maker, especially sites with open registration or many contributor accounts. Not an emergency for closed single-admin sites, but should be resolved within the next routine maintenance window to prevent data exposure and account escalation risk.
Technical view
Form Maker up to 1.12.24 exposes SQL injection (CWE-89) via admin-ajax.php using the FormMakerSQLMapping and generete_csv actions. The name and search_labels POST parameters are concatenated into database queries without proper parameterization. An authenticated user can influence query logic to read or modify data. CVSS 4.0 is 7.1 with network attack vector and low privileges required.
Likely exposure
Any WordPress site running 10Web Form Maker at or below 1.12.24 that permits user registration or otherwise issues low-privilege accounts is exposed. Public-facing WordPress installs with open registration or multi-author workflows carry the greatest risk; single-admin sites without additional accounts have narrower exposure.
Exploitation context
Not listed in CISA KEV. A public proof-of-concept exists on Exploit-DB (EDB-44853) and VulnCheck published an advisory, indicating exploitation details are widely known. The sources do not confirm active in-the-wild campaigns, but the low complexity and authenticated-only requirement make opportunistic abuse plausible on sites allowing self-registration.
Researcher notes
Two vulnerable actions are cited: FormMakerSQLMapping and generete_csv (note the vendor's misspelling), with injection surfacing in the name and search_labels parameters. CWE-89 with PR:L in the CVSS 4.0 vector aligns with the authenticated precondition. Sources do not name a fixed version, so remediation guidance must reference vendor advisories rather than a specific patched build. Confidence in scope is medium pending vendor confirmation of a patched release.
Mitigation direction
Check 10Web vendor guidance and update Form Maker to the latest available version.
If no fix is confirmed, disable or uninstall the Form Maker plugin until vendor guidance is verified.
Restrict WordPress user registration and audit low-privilege accounts.
Place the site behind a WAF with SQL injection signatures tuned for admin-ajax.php.
Rotate database credentials and WordPress secrets if compromise is suspected.
Enable database query logging and monitor admin-ajax.php traffic for anomalies.
Validation and detection
Inventory WordPress sites and identify installations of 10Web Form Maker with version 1.12.24 or earlier.
Confirm whether user registration or low-privilege accounts exist on affected sites.
Review web and application logs for POST requests to admin-ajax.php invoking FormMakerSQLMapping or generete_csv actions.
Check the WordPress plugin repository and 10Web changelog for a patched release addressing this CVE.
After patching, retest the affected endpoints with authenticated accounts to confirm inputs are parameterized.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-89: Database access and collection lookup
Injection into data stores can inform collection, data access, and exfiltration detection reviews. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references database injection or access, so collection and exfiltration review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-89 · source CWE mapping
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.