Skip to main content

Form Maker by 10Web CVE-2026-39502

| EUVDEUVD-2026-36947 CRITICAL
SQL Injection (CWE-89)
2026-06-15 Patchstack GHSA-hqwp-wgxm-88pc
9.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
8.2 HIGH

Remote unauthenticated SQLi (AV:N/AC:L/PR:N/UI:N) yields full DB read (C:H); minor I:L for possible log/state side effects, A:N and S:U as no cross-component impact is evidenced.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:25 vuln.today

DescriptionCVE.org

Unauthenticated SQL Injection in Form Maker by 10Web <= 1.15.38 versions.

AnalysisAI

Unauthenticated SQL injection in the Form Maker by 10Web WordPress plugin (versions ≤ 1.15.38) allows remote attackers to inject arbitrary SQL into backend queries without credentials, leading to database content disclosure and partial integrity/availability impact across a changed security scope. No public exploit identified at time of analysis, but the CVSS 9.3 and trivial network-reachable attack profile make this a high-priority issue for any WordPress site running the plugin. The Patchstack-coordinated disclosure indicates a vendor-tracked flaw, though no fixed version is confirmed in the supplied data.

Technical ContextAI

Form Maker by 10Web is a widely deployed WordPress plugin (CPE cpe:2.3:a:10web:form_maker_by_10web) that provides drag-and-drop form building, submission storage, and admin reporting via PHP endpoints that query the WordPress MySQL/MariaDB database. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-supplied input reaches a SQL query without proper parameterization or escaping - typically because a plugin endpoint concatenates request parameters into a query string instead of using $wpdb->prepare(). Because the CVSS vector specifies Scope:Changed, the injection likely crosses a trust boundary (e.g., a public form handler reaching data managed by other WordPress components or the broader DBMS), which is consistent with plugin endpoints registered via admin-ajax.php or REST routes that lack capability checks.

RemediationAI

No vendor-released patch identified at time of analysis in the supplied data - administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/form-maker/vulnerability/wordpress-form-maker-by-10web-plugin-1-15-38-sql-injection-vulnerability) and the WordPress.org plugin page for the next release above 1.15.38 and upgrade as soon as it is available. As compensating controls until a patched version ships, deactivate and remove the Form Maker plugin if forms are not business-critical (side effect: existing forms and submission data become inaccessible until reactivation); alternatively, place the site behind a WAF such as Patchstack, Wordfence, or Cloudflare and enable virtual patching / SQLi signature rules targeted at the plugin's admin-ajax and REST endpoints (side effect: false positives on legitimate form submissions containing SQL-like punctuation); restrict access to /wp-admin/admin-ajax.php and the plugin's REST routes by IP where feasible (side effect: breaks public form submissions, so only viable for internal-use forms); and rotate database credentials and WordPress admin passwords if compromise is suspected, since SQLi typically yields wp_users hashes.

Share

CVE-2026-39502 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy