{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15441", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2026-01-02T16:38:55.479Z", "datePublished": "2026-04-13T06:00:11.088Z", "dateUpdated": "2026-04-13T15:04:26.883Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-13T06:00:11.088Z"}, "title": "Form Maker < 1.15.38 - SQL Injection", "problemTypes": [{"descriptions": [{"description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "Form Maker by 10Web", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThan": "1.15.38"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Form Maker by 10Web WordPress plugin before 1.15.38 does not properly prepare SQL queries when the \"MySQL Mapping\" feature is in use, which could make SQL Injection attacks possible in certain contexts."}], "references": [{"url": "https://wpscan.com/vulnerability/41f69b0a-4d17-4a6b-b803-ea1c370e3cc0/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "hiariz", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T15:03:55.515711Z", "id": "CVE-2025-15441", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T15:04:26.883Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-15441", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T15:03:55.515711Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T15:04:23.419Z"}}], "cna": {"title": "Form Maker < 1.15.38 - SQL Injection", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "hiariz"}, {"lang": "en", "type": "coordinator", "value": "WPScan"}], "affected": [{"vendor": "Unknown", "product": "Form Maker by 10Web", "versions": [{"status": "affected", "version": "0", "lessThan": "1.15.38", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://wpscan.com/vulnerability/41f69b0a-4d17-4a6b-b803-ea1c370e3cc0/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "x_generator": {"engine": "WPScan CVE Generator"}, "descriptions": [{"lang": "en", "value": "The Form Maker by 10Web WordPress plugin before 1.15.38 does not properly prepare SQL queries when the \"MySQL Mapping\" feature is in use, which could make SQL Injection attacks possible in certain contexts."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-89 SQL Injection"}]}], "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-13T06:00:11.088Z"}}}, "cveMetadata": {"cveId": "CVE-2025-15441", "state": "PUBLISHED", "dateUpdated": "2026-04-13T15:04:26.883Z", "dateReserved": "2026-01-02T16:38:55.479Z", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "datePublished": "2026-04-13T06:00:11.088Z", "assignerShortName": "WPScan"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Form Maker by 10Web WordPress plugin before 1.15.38 does not properly prepare SQL queries when the \"MySQL Mapping\" feature is in use, which could make SQL Injection attacks possible in certain contexts."}], "id": "CVE-2025-15441", "lastModified": "2026-04-13T16:16:23.300", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 4.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-13T07:16:07.213", "references": [{"source": "contact@wpscan.com", "url": "https://wpscan.com/vulnerability/41f69b0a-4d17-4a6b-b803-ea1c370e3cc0/"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.15.38)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Form Maker by 10Web", "source": "cna", "vendor": "Unknown"}, "product": "form_maker", "vendor": "10web"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-13T08:51:40.277790+00:00", "value": {"mitigation_remediation": ["Upgrade Form Maker to version 1.15.38 or later", "If upgrading is not immediately possible, disable the MySQL Mapping feature to prevent exploitation", "Verify that all SQL queries handled by the plugin use prepared statements or proper escaping"], "summary": {"action": "Patch", "impact": "SQL Injection may allow unauthorized database access or manipulation"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the Form Maker plugin by 10Web installed at a version prior to 1.15.38 and have enabled the MySQL Mapping feature are affected.", "description_and_impact": "The Form Maker WordPress plugin fails to properly prepare SQL queries when its \"MySQL Mapping\" feature is active, which could allow an attacker to inject arbitrary SQL. Based on the description, it is inferred that this flaw could expose the database to unauthorized reads, writes, or deletions, impacting the confidentiality and integrity of site data.", "risk_and_exploitability": "The available data does not provide a CVSS or EPSS score, so the severity cannot be quantified. The flaw is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker could exploit the vulnerability by supplying malicious input through the plugin\u2019s form interface, enabling execution of unintended SQL statements if the MySQL Mapping feature is engaged."}}}}, "created": "2026-04-13T12:36:59.415295+00:00", "updated": "2026-04-13T12:52:47.539049+00:00", "vendors": ["10web", "10web$PRODUCT$form_maker", "wordpress", "wordpress$PRODUCT$wordpress"], "weaknesses": ["CWE-89"]}