Skip to main content

Form Maker By 10Web

1 CVEs product

Monthly

CVE-2026-39502 CRITICAL Act Now

Unauthenticated SQL injection in the Form Maker by 10Web WordPress plugin (versions ≤ 1.15.38) allows remote attackers to inject arbitrary SQL into backend queries without credentials, leading to database content disclosure and partial integrity/availability impact across a changed security scope. No public exploit identified at time of analysis, but the CVSS 9.3 and trivial network-reachable attack profile make this a high-priority issue for any WordPress site running the plugin. The Patchstack-coordinated disclosure indicates a vendor-tracked flaw, though no fixed version is confirmed in the supplied data.

SQLi Form Maker By 10Web
NVD
CVSS 3.1
9.3
EPSS
0.3%
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated SQL injection in the Form Maker by 10Web WordPress plugin (versions ≤ 1.15.38) allows remote attackers to inject arbitrary SQL into backend queries without credentials, leading to database content disclosure and partial integrity/availability impact across a changed security scope. No public exploit identified at time of analysis, but the CVSS 9.3 and trivial network-reachable attack profile make this a high-priority issue for any WordPress site running the plugin. The Patchstack-coordinated disclosure indicates a vendor-tracked flaw, though no fixed version is confirmed in the supplied data.

SQLi Form Maker By 10Web
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy