Skip to main content
CVE Vulnerability Database

CVE-2026-3330: Form Maker by 10Web SQLi Vulnerability

CVE-2026-3330 is a SQL injection flaw in the Form Maker by 10Web WordPress plugin that allows authenticated attackers to extract sensitive database information. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-3330 Overview

The Form Maker by 10Web plugin for WordPress contains a SQL Injection vulnerability affecting all versions up to and including 1.15.40. The vulnerability exists in multiple search parameters including ip_search, startdate, enddate, username_search, and useremail_search. This flaw allows authenticated attackers with Administrator-level access to append malicious SQL queries to existing database queries, potentially enabling extraction of sensitive information from the WordPress database.

Critical Impact

Authenticated attackers with administrator privileges can exploit this SQL Injection vulnerability to extract sensitive data from the database. The vulnerability can also be triggered via CSRF due to missing nonce verification, potentially allowing exploitation through social engineering.

Affected Products

  • Form Maker by 10Web WordPress Plugin versions up to and including 1.15.40

Discovery Timeline

  • 2026-04-17 - CVE CVE-2026-3330 published to NVD
  • 2026-04-22 - Last updated in NVD database

Technical Details for CVE-2026-3330

Vulnerability Analysis

This SQL Injection vulnerability stems from improper handling of user input in the Form Maker plugin's submissions management functionality. The vulnerability is particularly concerning because it bypasses WordPress's built-in security protections against SQL injection attacks. Specifically, the WDW_FM_Library::validate_data() method calls stripslashes() on user input, which removes the escaping applied by WordPress's wp_magic_quotes() protection mechanism. Subsequently, the FMModelSubmissions_fm::get_labels_parameters() function directly concatenates these user-supplied values into SQL queries without utilizing WordPress's $wpdb->prepare() function for parameterized queries.

An additional security concern compounds this vulnerability: the Submissions controller skips nonce verification for the display task. This oversight means that even though administrator-level access is required, the vulnerability can be triggered via Cross-Site Request Forgery (CSRF) attacks. An attacker could craft a malicious link and trick an authenticated administrator into clicking it, thereby triggering the SQL injection without direct admin panel access.

Root Cause

The root cause of this vulnerability is twofold. First, the validate_data() method in WDW_FM_Library.php inappropriately uses stripslashes() on user input, which strips away the protective escaping that WordPress adds through wp_magic_quotes(). Second, the get_labels_parameters() function in Submissions_fm.php directly concatenates user-supplied values into SQL queries instead of using parameterized queries via $wpdb->prepare(). The combination of stripping escape characters and failing to use prepared statements creates a direct path for SQL injection attacks.

Attack Vector

The attack vector is network-based, requiring authentication with Administrator-level privileges. An attacker with valid administrator credentials can inject malicious SQL code through the vulnerable search parameters (ip_search, startdate, enddate, username_search, or useremail_search) in the Form Maker submissions interface. Alternatively, due to the missing nonce verification, an attacker can craft a malicious URL containing the SQL injection payload and use social engineering techniques to trick a logged-in administrator into clicking the link, thereby exploiting the vulnerability via CSRF.

The vulnerability manifests in the submissions controller where user-supplied search parameters are processed. The WDW_FM_Library::validate_data() method removes escape characters, and the resulting unsanitized data is concatenated directly into SQL queries within the FMModelSubmissions_fm::get_labels_parameters() function. For technical implementation details, see the WordPress Form Maker Library and WordPress Form Maker Model source code.

Detection Methods for CVE-2026-3330

Indicators of Compromise

  • Unusual or malformed values in Form Maker submission search parameters (ip_search, startdate, enddate, username_search, useremail_search)
  • Database query logs showing SQL syntax errors or unexpected query patterns originating from Form Maker plugin requests
  • Evidence of data exfiltration attempts through error-based or time-based SQL injection techniques
  • Unexpected administrator activity accessing Form Maker submissions with suspicious URL parameters

Detection Strategies

  • Monitor web application firewall (WAF) logs for SQL injection patterns in requests to Form Maker plugin endpoints
  • Implement database query logging and analyze for anomalous queries containing UNION SELECT, subqueries, or time-based injection patterns
  • Review WordPress access logs for suspicious requests to /wp-admin/admin.php with page=submissions_fm parameters containing injection payloads
  • Deploy SentinelOne Singularity to detect and block exploitation attempts through behavioral analysis

Monitoring Recommendations

  • Enable and review WordPress debug logs for database errors that may indicate SQL injection attempts
  • Configure alerting for failed or unusual database queries in the WordPress database
  • Monitor for CSRF attack patterns such as administrator sessions accessing Form Maker with referrers from external domains
  • Implement real-time monitoring of plugin file integrity to detect any unauthorized modifications

How to Mitigate CVE-2026-3330

Immediate Actions Required

  • Update Form Maker by 10Web plugin to the latest patched version immediately
  • Review database access logs for any signs of prior exploitation
  • Implement Web Application Firewall (WAF) rules to block SQL injection attempts targeting the identified parameters
  • Restrict administrative access to trusted IP addresses where possible

Patch Information

The vulnerability has been addressed by the plugin developers. A security patch is available through the WordPress Form Maker Changeset. The fix implements proper input sanitization using $wpdb->prepare() for parameterized queries and adds nonce verification for the display task in the Submissions controller. Users should update to the latest version available through the WordPress plugin repository. For additional details, consult the Wordfence Vulnerability Report.

Workarounds

  • Temporarily disable the Form Maker plugin until the patch can be applied
  • Implement WAF rules to filter and block malicious SQL injection payloads in the affected parameters
  • Restrict administrator access to the Form Maker submissions page through role-based access controls
  • Add custom input validation at the web server level for requests targeting Form Maker endpoints
bash
# Example: WordPress configuration to limit admin access by IP
# Add to .htaccess in wp-admin directory
<Files "admin.php">
    Order Deny,Allow
    Deny from all
    Allow from 192.168.1.0/24
    Allow from 10.0.0.0/8
</Files>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.