SQL Injection Vulnerability in Easy Form Builder by WordPress
CVE-2026-42747

9.3CRITICAL

Key Information:

Vendor: WordPress
Status: Easy Form Builder
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-42747?

The Easy Form Builder plugin for WordPress is susceptible to an SQL Injection vulnerability due to improper neutralization of special elements used in SQL commands. This flaw allows for blind SQL injection attacks, potentially compromising the integrity and confidentiality of the database. Affected versions of the plugin range from n/a up to and including version 4.0.6. It is crucial for users to update their installations to protect against potential exploits that can lead to unauthorized access and data manipulation.

Affected Version(s)

Easy Form Builder 0 <= 4.0.6

References

https://patchstack.com/database/Wordpress/Plugin/easy-for...

vdb-entry

CVSS V3.1

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
Apr 29, 2026

Credit

kai63001 | Patchstack Bug Bounty Program

CVE-2026-42747 Data

JSON