Introduction
An unauthenticated SQL Injection in the Form Maker by 10Web WordPress plugin allows remote attackers to extract sensitive information directly from the database without any credentials. With over 30,000 active installations, this plugin's broad footprint across WordPress sites makes CVE-2026-3359 a meaningful risk for organizations that rely on it for contact forms and user input collection.
Form Maker by 10Web is a drag and drop contact form builder plugin for WordPress, designed to let site administrators create mobile friendly forms without writing code. It maintains a significant presence in the WordPress plugin ecosystem with tens of thousands of active installations and compatibility tested up to WordPress 6.9.4. Its popularity among small and mid sized businesses makes vulnerabilities in this plugin particularly relevant to the broader WordPress security landscape.
Technical Information
CVE-2026-3359 is classified under CWE-89: Improper Neutralization of Special Elements used in an SQL Command. The vulnerability exists in the handling of the inputs parameter within the plugin. The core issue is twofold: the plugin does not sufficiently escape user supplied data passed through this parameter, and the existing SQL query that consumes this data is not properly constructed using prepared statements.
In WordPress plugin development, the standard practice for safe database interaction is to use $wpdb->prepare() to parameterize queries, ensuring that user input cannot alter the structure of the SQL statement. When this preparation step is missing or incomplete, and input escaping is also insufficient, the door opens for classic SQL Injection.
The CVSS 3.x vector for this vulnerability is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, which breaks down as follows:
| CVSS Component | Value | Meaning |
|---|---|---|
| Attack Vector | Network | Exploitable remotely over the network |
| Attack Complexity | Low | No special conditions required |
| Privileges Required | None | No authentication needed |
| User Interaction | None | No victim action required |
| Scope | Unchanged | Impact limited to the vulnerable component |
| Confidentiality | High | Full read access to database contents |
| Integrity | None | No data modification |
| Availability | None | No denial of service |
The attack flow, based on the available information, proceeds as follows:
- An attacker identifies a WordPress site running Form Maker by 10Web version 1.15.42 or earlier.
- The attacker crafts a request that includes a malicious payload in the
inputsparameter. Because the parameter value is not properly escaped or parameterized before being incorporated into a SQL query, the injected SQL is executed by the database. - The attacker appends additional SQL queries (this is an append style injection, not a replacement) to the existing query logic. This allows the attacker to use techniques such as UNION based extraction or conditional (blind) injection to read arbitrary data from the database.
- Sensitive information, which could include WordPress user credentials, email addresses, form submission data, or other stored content, is returned to the attacker.
The fact that this vulnerability requires no authentication is particularly notable. Any internet facing WordPress site running a vulnerable version of this plugin is exposed to automated scanning and exploitation without any barrier.
Affected Systems and Versions
The vulnerability affects the following:
| Software | Affected Versions | Fixed Version |
|---|---|---|
| Form Maker by 10Web (WordPress plugin) | All versions up to and including 1.15.42 | 1.15.43 |
Any WordPress installation running Form Maker by 10Web at version 1.15.42 or earlier is vulnerable, regardless of the WordPress core version.
Vendor Security History
10Web has a documented track record of addressing security issues in the Form Maker plugin. The changelog indicates that previous SQL injection vulnerabilities and minor security flaws were fixed in version 1.14.3. The current vulnerability, CVE-2026-3359, was explicitly addressed in the 1.15.43 release. While the vendor's responsiveness to reported issues is a positive signal, the recurrence of SQL injection specifically points to a systemic challenge with input validation and query parameterization in the plugin's codebase. Organizations evaluating this plugin should weigh this pattern when assessing long term risk.
