Unauthenticated SQL Injection in Form Maker by 10Web
CVE-2026-39502

9.3CRITICAL

Key Information:

Vendor

WordPress

Vendor
CVE Published:
15 June 2026

What is CVE-2026-39502?

The Form Maker plugin by 10Web is susceptible to an unauthenticated SQL injection vulnerability, impacting versions up to 1.15.38. This issue allows attackers to execute arbitrary SQL queries on the database without authentication, potentially leading to sensitive data exposure or manipulation. Website owners using this plugin are strongly advised to update to the latest version to mitigate risks.

Affected Version(s)

Form Maker by 10Web <= 1.15.38

References

CVSS V3.1

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Nguyen Ba Khanh | Patchstack Bug Bounty Program
.