CVE-2026-3330

Name of the Vulnerable Software and Affected Versions The Form Maker by 10Web versions prior to 1.15.41

Description An issue exists where authenticated attackers with Administrator-level access or higher can append additional SQL queries to extract sensitive information from the database. This occurs because the WDW FM Library::validate data() method uses stripslashes() on user input, removing standard protection, and the FMModelSubmissions fm::get labels parameters() function concatenates user-supplied values into SQL queries without proper preparation. The affected parameters are 'ip search', 'startdate', 'enddate', 'username search', and 'useremail search'. Furthermore, the Submissions controller fails to perform nonce verification for the 'display' task, allowing the issue to be triggered via Cross-Site Request Forgery (CSRF), which is a technique where an attacker tricks a user into performing an unwanted action.

Recommendations Update to a version later than 1.15.40. As a temporary workaround, restrict access to the 'display' task in the Submissions controller or avoid using the parameters ip search, startdate, enddate, username search, and useremail search until the update is applied.