A critical SQL injection vulnerability in the Form Maker by 10Web plugin permits unauthenticated attackers to gain unauthorized access to sensitive database content.

This vulnerability arises from improper sanitization of inputs, allowing an unauthenticated attacker to inject malicious SQL commands that the database will execute, leading to data exfiltration.

The CVSS score of 9.3 underscores the risk of this vulnerability. If exploited, it could result in the total compromise of data stored within the plugin, potentially impacting business operations and leading to significant legal and reputational consequences.

Immediate Action: Update the Form Maker by 10Web plugin to version 1.15.39 or later.

Proactive Monitoring: Regularly audit database logs for suspicious queries and monitor application traffic for signs of automated SQL injection scanning.

Compensating Controls: Use a Web Application Firewall (WAF) to block requests containing malicious SQL payloads targeted at the plugin's endpoints.

Public Exploit Available: False

Promptly apply the available patch to mitigate this high-risk vulnerability. Ensuring the plugin is updated is essential to maintaining the confidentiality and integrity of your site's database.