SQL Injection Vulnerability in 10Web's Form Maker Plugin for WordPress
CVE-2026-11776

4.9MEDIUM

Key Information:

Vendor: WordPress
Status: Form Maker By 10web – Mobile-friendly Drag & Drop Contact Form Builder
Vendor: CVE Published:; 18 June 2026

What is CVE-2026-11776?

The Form Maker plugin by 10Web for WordPress is susceptible to SQL Injection through the 'groupids' parameter. This vulnerability arises from inadequate escaping of user-supplied data and insufficient preparation in SQL queries. Authenticated administrators and higher-level users can exploit this flaw to append unauthorized SQL queries, potentially gaining access to sensitive information stored in the database. All users of the plugin are encouraged to review their installations and apply necessary updates to mitigate this issue.

Affected Version(s)

Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder 0 <= 1.15.43

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/form-maker/tag...

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 18, 2026
Vulnerability Reserved
Jun 9, 2026

Credit

Muhammad Arsalan Diponegoro

CVE-2026-11776 Data

JSON