What is the CVSS score of CVE-2026-42747?

CVE-2026-42747 has a CVSS 3.1 base score of 9.3 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L. EPSS exploitation probability: 0.0%.

Which versions of Easy Form Builder are affected by CVE-2026-42747?

The Easy Form Builder WordPress plugin (versions through 4.0.6) contains a critical blind SQL injection vulnerability that allows unauthenticated remote attackers to read sensitive database records…

Easy Form Builder CVE-2026-42747

Q: How to fix or mitigate CVE-2026-42747?

24 hours: Disable or remove Easy Form Builder plugin from all WordPress instances; if operationally unavoidable, deploy Web Application Firewall (WAF) rules to block SQL injection payloads targeting the plugin. 7 days: Review database and web server logs for exploitation signatures; test backup and recovery procedures. 30 days: Monitor vendor advisories for patch release; evaluate and migrate to alternative form-building solutions.

EUVD-2026-32196 CRITICAL

SQL Injection (CWE-89)

2026-05-27 audit@patchstack.com

GHSA-8rj8-4rfm-p4j9

SQLi

9.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

Low

Lifecycle Timeline

Analysis Generated

May 27, 2026 - 19:47 vuln.today

DescriptionNVD

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in hassantafreshi Easy Form Builder easy-form-builder allows Blind SQL Injection.This issue affects Easy Form Builder: from n/a through <= 4.0.6.

AnalysisAI

Blind SQL injection in the Easy Form Builder WordPress plugin (by hassantafreshi), affecting all versions up to and including 4.0.6, lets remote unauthenticated attackers inject crafted SQL into backend database queries. With a CVSS of 9.3 and a scope-changed vector, a successful attack can read sensitive data across the database and impact availability. …

RemediationAI

24 hours: Disable or remove Easy Form Builder plugin from all WordPress instances; if operationally unavoidable, deploy Web Application Firewall (WAF) rules to block SQL injection payloads targeting the plugin. 7 days: Review database and web server logs for exploitation signatures; test backup and recovery procedures. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-42747 vulnerability details – vuln.today

Back

Easy Form Builder CVE-2026-42747

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code