SQL Injection Vulnerability in Form Maker Plugin by 10Web for WordPress
CVE-2026-3330

4.9MEDIUM

Key Information:

Vendor: WordPress
Status: Form Maker By 10web – Mobile-friendly Drag & Drop Contact Form Builder
Vendor: CVE Published:; 17 April 2026

What is CVE-2026-3330?

The Form Maker plugin by 10Web suffers from an SQL Injection vulnerability across all versions up to and including 1.15.40. The flaw originates from the improper handling of user inputs in the 'ip_search', 'startdate', 'enddate', 'username_search', and 'useremail_search' parameters. Specifically, the WDW_FM_Library::validate_data() method inadequately processes the data by removing security protections set by WordPress, allowing for potential SQL query manipulation. This vulnerability permits authenticated users with Administrator privileges to inject malicious SQL queries that can retrieve sensitive database information. Furthermore, the Submissions controller's failure to enforce nonce checks for the 'display' task provides a means for Cross-Site Request Forgery (CSRF), enabling attackers to exploit the vulnerability through crafted links, thereby amplifying the risk to data integrity.

Affected Version(s)

Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder 0 <= 1.15.40

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/form-maker/tag...

https://plugins.trac.wordpress.org/browser/form-maker/tru...

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 17, 2026
Vulnerability Reserved
Feb 27, 2026

Credit

Sein Linn

CVE-2026-3330 Data

JSON