Skip to main content

Easy Form Builder CVE-2026-42747

| EUVDEUVD-2026-32196 CRITICAL
SQL Injection (CWE-89)
2026-05-27 audit@patchstack.com GHSA-8rj8-4rfm-p4j9
9.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 19:47 vuln.today

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in hassantafreshi Easy Form Builder easy-form-builder allows Blind SQL Injection.This issue affects Easy Form Builder: from n/a through <= 4.0.6.

AnalysisAI

Blind SQL injection in the Easy Form Builder WordPress plugin (by hassantafreshi), affecting all versions up to and including 4.0.6, lets remote unauthenticated attackers inject crafted SQL into backend database queries. With a CVSS of 9.3 and a scope-changed vector, a successful attack can read sensitive data across the database and impact availability. There is no public exploit identified at time of analysis, and the EPSS score is very low (0.03%, 9th percentile), indicating no observed mass exploitation yet despite the high severity rating.

Technical ContextAI

Easy Form Builder is a WordPress plugin used to create custom forms; like most WordPress plugins it interacts with the site's underlying MySQL/MariaDB database through PHP. The root cause is CWE-89, improper neutralization of special elements in an SQL command, meaning user-supplied input reaches a SQL statement without proper parameterization or escaping. The 'blind' designation indicates the injection does not return data directly in responses, so an attacker infers results through boolean/time-based inference. No CPE strings were provided in the source data; affected scope is identified via the ENISA EUVD record (EUVD-2026-32196) and the Patchstack advisory as the WordPress plugin slug easy-form-builder.

RemediationAI

No vendor-released patch version is identified in the available data - the affected range is listed as up to and including 4.0.6 with no fixed version specified, so administrators should monitor the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/easy-form-builder/vulnerability/wordpress-easy-form-builder-plugin-4-0-6-sql-injection-vulnerability?_s_id=cve) and the WordPress plugin repository for a release above 4.0.6 and upgrade as soon as one is published. Until a fixed version is available, consider deactivating and removing the Easy Form Builder plugin (trade-off: any forms it provides will stop functioning) or restricting access to the affected form-handling endpoints. A web application firewall with SQL injection rules (such as Patchstack's vPatch or an equivalent WAF) can provide virtual patching to block injection payloads, though WAF rules may be bypassable and can produce false positives on legitimate form input. Audit database accounts used by WordPress to enforce least privilege, limiting the blast radius of any successful injection.

Share

CVE-2026-42747 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy