Security Alert Summary
The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress contains a SQL injection vulnerability in the inputs parameter. The issue allows unauthenticated attackers to append additional SQL queries to existing queries and may be used to extract sensitive information from the site database.
CVE Details
- CVE ID: CVE-2026-3359
- Affected component: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress
- Affected versions: Versions up to and including 1.15.42
- Published: May 5, 2026 at 9:16:03 AM
- Last modified: May 5, 2026 at 9:16:03 AM
- CVSS v3.1: Base Score 7.5 (HIGH) — Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Authentication / privileges / user interaction:
- Authentication required: None (unauthenticated attackers)
- Privileges required: None
- User interaction: None
- Primary impact:
- Confidentiality: High
- Integrity: None
- Availability: None
- CWE / weakness: CWE-89 (SQL Injection)
Technical Details
According to the advisory, the plugin is vulnerable to SQL injection via the inputs parameter. The vulnerability exists because user-supplied data passed through the inputs parameter is not sufficiently escaped and the existing SQL query is not adequately prepared. This combination can allow an attacker to append additional SQL statements to queries constructed by the plugin.
No specific function names or REST endpoints are listed in the provided information; the behavior described centers on insufficient escaping and lack of proper query preparation around the inputs parameter. The practical impact described is extraction of sensitive information from the site database by an unauthenticated attacker.
How This Could Impact Your Website
In a typical small business WordPress site, multiple people may have accounts and roles: a site owner, internal staff who manage content, and external contractors or contributors who submit forms. If the plugin on your site accepts and uses form input without proper escaping, an unauthenticated attacker could craft input to the vulnerable inputs parameter that causes the database to return sensitive data.
- Exposed data could include internal user email addresses or other information stored in the database that attackers can use for targeted phishing or social engineering.
- Because the vulnerability does not require authentication, it can be exploited by anyone who can reach the affected endpoint from the network.
professional review — If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributor-level accounts that can submit content.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and logs for unusual database queries, form submissions, or other anomalous behavior.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
