CVE-2026-3330 Overview
The Form Maker by 10Web plugin for WordPress contains a SQL Injection vulnerability affecting all versions up to and including 1.15.40. The vulnerability exists in multiple search parameters including ip_search, startdate, enddate, username_search, and useremail_search. This flaw allows authenticated attackers with Administrator-level access to append malicious SQL queries to existing database queries, potentially enabling extraction of sensitive information from the WordPress database.
Critical Impact
Authenticated attackers with administrator privileges can exploit this SQL Injection vulnerability to extract sensitive data from the database. The vulnerability can also be triggered via CSRF due to missing nonce verification, potentially allowing exploitation through social engineering.
Affected Products
- Form Maker by 10Web WordPress Plugin versions up to and including 1.15.40
Discovery Timeline
- 2026-04-17 - CVE CVE-2026-3330 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-3330
Vulnerability Analysis
This SQL Injection vulnerability stems from improper handling of user input in the Form Maker plugin's submissions management functionality. The vulnerability is particularly concerning because it bypasses WordPress's built-in security protections against SQL injection attacks. Specifically, the WDW_FM_Library::validate_data() method calls stripslashes() on user input, which removes the escaping applied by WordPress's wp_magic_quotes() protection mechanism. Subsequently, the FMModelSubmissions_fm::get_labels_parameters() function directly concatenates these user-supplied values into SQL queries without utilizing WordPress's $wpdb->prepare() function for parameterized queries.
An additional security concern compounds this vulnerability: the Submissions controller skips nonce verification for the display task. This oversight means that even though administrator-level access is required, the vulnerability can be triggered via Cross-Site Request Forgery (CSRF) attacks. An attacker could craft a malicious link and trick an authenticated administrator into clicking it, thereby triggering the SQL injection without direct admin panel access.
Root Cause
The root cause of this vulnerability is twofold. First, the validate_data() method in WDW_FM_Library.php inappropriately uses stripslashes() on user input, which strips away the protective escaping that WordPress adds through wp_magic_quotes(). Second, the get_labels_parameters() function in Submissions_fm.php directly concatenates user-supplied values into SQL queries instead of using parameterized queries via $wpdb->prepare(). The combination of stripping escape characters and failing to use prepared statements creates a direct path for SQL injection attacks.
Attack Vector
The attack vector is network-based, requiring authentication with Administrator-level privileges. An attacker with valid administrator credentials can inject malicious SQL code through the vulnerable search parameters (ip_search, startdate, enddate, username_search, or useremail_search) in the Form Maker submissions interface. Alternatively, due to the missing nonce verification, an attacker can craft a malicious URL containing the SQL injection payload and use social engineering techniques to trick a logged-in administrator into clicking the link, thereby exploiting the vulnerability via CSRF.
The vulnerability manifests in the submissions controller where user-supplied search parameters are processed. The WDW_FM_Library::validate_data() method removes escape characters, and the resulting unsanitized data is concatenated directly into SQL queries within the FMModelSubmissions_fm::get_labels_parameters() function. For technical implementation details, see the WordPress Form Maker Library and WordPress Form Maker Model source code.
Detection Methods for CVE-2026-3330
Indicators of Compromise
- Unusual or malformed values in Form Maker submission search parameters (ip_search, startdate, enddate, username_search, useremail_search)
- Database query logs showing SQL syntax errors or unexpected query patterns originating from Form Maker plugin requests
- Evidence of data exfiltration attempts through error-based or time-based SQL injection techniques
- Unexpected administrator activity accessing Form Maker submissions with suspicious URL parameters
Detection Strategies
- Monitor web application firewall (WAF) logs for SQL injection patterns in requests to Form Maker plugin endpoints
- Implement database query logging and analyze for anomalous queries containing UNION SELECT, subqueries, or time-based injection patterns
- Review WordPress access logs for suspicious requests to /wp-admin/admin.php with page=submissions_fm parameters containing injection payloads
- Deploy SentinelOne Singularity to detect and block exploitation attempts through behavioral analysis
Monitoring Recommendations
- Enable and review WordPress debug logs for database errors that may indicate SQL injection attempts
- Configure alerting for failed or unusual database queries in the WordPress database
- Monitor for CSRF attack patterns such as administrator sessions accessing Form Maker with referrers from external domains
- Implement real-time monitoring of plugin file integrity to detect any unauthorized modifications
How to Mitigate CVE-2026-3330
Immediate Actions Required
- Update Form Maker by 10Web plugin to the latest patched version immediately
- Review database access logs for any signs of prior exploitation
- Implement Web Application Firewall (WAF) rules to block SQL injection attempts targeting the identified parameters
- Restrict administrative access to trusted IP addresses where possible
Patch Information
The vulnerability has been addressed by the plugin developers. A security patch is available through the WordPress Form Maker Changeset. The fix implements proper input sanitization using $wpdb->prepare() for parameterized queries and adds nonce verification for the display task in the Submissions controller. Users should update to the latest version available through the WordPress plugin repository. For additional details, consult the Wordfence Vulnerability Report.
Workarounds
- Temporarily disable the Form Maker plugin until the patch can be applied
- Implement WAF rules to filter and block malicious SQL injection payloads in the affected parameters
- Restrict administrator access to the Form Maker submissions page through role-based access controls
- Add custom input validation at the web server level for requests targeting Form Maker endpoints
# Example: WordPress configuration to limit admin access by IP
# Add to .htaccess in wp-admin directory
<Files "admin.php">
Order Deny,Allow
Deny from all
Allow from 192.168.1.0/24
Allow from 10.0.0.0/8
</Files>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
