CVE-2026-3359 - Vulnerability Details

Description

The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to SQL Injection via the 'inputs' parameter in versions up to, and including, 1.15.42 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Published: 2026-05-05

Score: 7.5 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Form Maker by 10Web plugin allows an attacker to inject SQL through the 'inputs' parameter because it is not properly escaped and is included directly in an SQL query. This injection can append arbitrary statements to the existing query, enabling the adversary to read sensitive data from the database. The vulnerability is a classic SQL injection issue (CWE‑89) that compromises the confidentiality of application data.

Affected Systems

Vulnerable installations are those running the Form Maker by 10Web – Mobile‑Friendly Drag & Drop Contact Form Builder WordPress plugin that are at or below version 1.15.42. Any WordPress site using this plugin copy is affected.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity vulnerability. Because it is unauthenticated, an attacker only needs to send requests to the site, making it remotely exploitable over the Internet. The EPSS score is not available, so the exact likelihood of exploitation is uncertain, but the lack of a KEV listing does not diminish the risk; the flaw remains actively exploitable if the plugin is not updated.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

10web

Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.15.42

No data.

Vendor Product Confidence Versions

10web

Form Maker By 10web – Mobile-friendly Drag & Drop Contact Form Builder

100%

Version	Status	Scheme	Platform
`[0,1.15.42]`	affected	generic	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the plugin to a version newer than 1.15.42 to remove the vulnerable code.
If an immediate upgrade is not possible, restrict external access to the plugin’s input handling endpoint by allowing only authenticated users or administrative IP ranges.
Review the plugin’s code and replace the raw SQL usage with prepared statements or WordPress database abstraction functions such as $wpdb->prepare, ensuring all request parameters, especially 'inputs', are properly sanitized.

Generated by OpenCVE AI on May 5, 2026 at 09:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://plugins.trac.wordpress.org/changeset/3518461/form-maker
https://www.wordfence.com/threat-intel/vulnerabilities/id/f37cc880-d8a4-431a-9639-abf01163030a?source=cve

History

Tue, 05 May 2026 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		10web 10web form Maker By 10web – Mobile-friendly Drag & Drop Contact Form Builder Wordpress Wordpress wordpress
Vendors & Products		10web 10web form Maker By 10web – Mobile-friendly Drag & Drop Contact Form Builder Wordpress Wordpress wordpress

Tue, 05 May 2026 08:30:00 +0000

Type	Values Removed	Values Added
Description		The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to SQL Injection via the 'inputs' parameter in versions up to, and including, 1.15.42 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title		Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder <= 1.15.42 - Unauthenticated SQL Injection via 'inputs'
Weaknesses		CWE-89
References		https://plugins.trac.wordpress.org/changeset/3518461/form-maker https://www.wordfence.com/threat-intel/vulnerabilities/id/f37cc880-d8a4-431a-9639-abf01163030a?source=cve
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

10web Form Maker By 10web – Mobile-friendly Drag & Drop Contact Form Builder

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-05-05T07:42:06.700Z

Updated: 2026-05-05T07:42:06.700Z

Reserved: 2026-02-27T18:36:25.127Z

Link: CVE-2026-3359

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-05T09:16:03.827

Modified: 2026-05-05T09:16:03.827

Link: CVE-2026-3359

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-05T09:30:21Z

Weaknesses

CWE-89

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object