Skip to main content

WordPress CVE-2026-3330

| EUVDEUVD-2026-23352 MEDIUM
SQL Injection (CWE-89)
2026-04-17 Wordfence GHSA-88f4-qv6h-wgph
4.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 17, 2026 - 04:41 vuln.today
EUVD ID Assigned
Apr 17, 2026 - 04:30 euvd
EUVD-2026-23352
Analysis Generated
Apr 17, 2026 - 04:30 vuln.today
CVE Published
Apr 17, 2026 - 03:36 nvd
MEDIUM 4.9

DescriptionCVE.org

The Form Maker by 10Web plugin for WordPress is vulnerable to SQL Injection via the 'ip_search', 'startdate', 'enddate', 'username_search', and 'useremail_search' parameters in all versions up to, and including, 1.15.40. This is due to the WDW_FM_Library::validate_data() method calling stripslashes() on user input (removing WordPress's wp_magic_quotes() protection) and the FMModelSubmissions_fm::get_labels_parameters() function directly concatenating user-supplied values into SQL queries without using $wpdb->prepare(). This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Additionally, the Submissions controller skips nonce verification for the display task, which means this vulnerability can be triggered via CSRF by tricking an administrator into clicking a crafted link.

AnalysisAI

SQL injection in Form Maker by 10Web WordPress plugin (versions ≤1.15.40) allows authenticated administrators to extract sensitive database information via unsanitized parameters (ip_search, startdate, enddate, username_search, useremail_search) in the Submissions display function. The vulnerability stems from the validate_data() method stripping WordPress's magic quotes protection and get_labels_parameters() concatenating user input directly into SQL queries without prepared statements. A CSRF vector exists because the vulnerable display task lacks nonce verification, enabling attackers to trick administrators into triggering the injection via a crafted link. Exploitation requires Administrator-level privileges but can be chained with CSRF for unauthorized triggering.

Technical ContextAI

The Form Maker by 10Web plugin mishandles user input in two critical locations: the WDW_FM_Library::validate_data() method calls stripslashes() on user-supplied values, explicitly removing WordPress's wp_magic_quotes() protection mechanism designed to prevent SQL injection. Subsequently, the FMModelSubmissions_fm::get_labels_parameters() function concatenates these unsanitized values directly into SQL queries without using the WordPress $wpdb->prepare() prepared statement API (CWE-89: Improper Neutralization of Special Elements used in an SQL Command). The vulnerable parameters (ip_search, startdate, enddate, username_search, useremail_search) are processed through this chain when the Submissions controller handles the display task. Critically, the Submissions_fm controller omits nonce verification (wp_verify_nonce) for the display task action, creating a secondary CSRF vulnerability that allows remote attackers to trigger the SQL injection by manipulating an authenticated administrator into clicking a malicious link. This combination violates WordPress security best practices: input sanitization, parameterized queries, and CSRF tokens.

RemediationAI

Update Form Maker by 10Web to version 1.15.41 or later immediately, as the vulnerability affects all versions through 1.15.40. The patch must address three components: (1) removal of the stripslashes() call in WDW_FM_Library::validate_data() to preserve WordPress's native magic quotes protection, (2) refactoring FMModelSubmissions_fm::get_labels_parameters() to use $wpdb->prepare() for all SQL queries, and (3) adding wp_verify_nonce() validation to the Submissions controller's display task to prevent CSRF exploitation. Administrators should verify the patch is applied by checking the plugin version in the WordPress admin dashboard (Plugins > Installed Plugins) or via the plugin's code repository. Until patching, mitigate the CSRF vector by disabling the display task endpoint if not actively used (requires custom code modification) or by restricting Administrator role to only essential personnel. Do not rely on WAF rules alone, as SQL injection may evade basic signature detection when obfuscated via CSRF payloads. Refer to the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/5e383b8a-27e5-4b35-8d11-6e4102255d44?source=cve for vendor confirmation and patch release timeline.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2026-3330 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy