Platform
wordpress
Component
form-maker
Fixed in
1.15.41
1.15.41
CVE-2026-3330 is a SQL Injection vulnerability affecting the Form Maker by 10Web plugin for WordPress. This flaw allows authenticated attackers, specifically administrators, to potentially extract sensitive data from the database. The vulnerability exists in versions up to 1.15.40 due to improper input validation and query construction. A patch is available in version 1.15.41.
An attacker exploiting CVE-2026-3330 could leverage SQL Injection to extract sensitive information stored within the Form Maker plugin's database. This could include user data collected through forms, administrative credentials, or other confidential information. Successful exploitation requires authentication as an administrator within the WordPress site. The blast radius is limited to the data stored within the Form Maker plugin's database; however, the potential for data exfiltration poses a significant risk. While no direct precedent is immediately apparent, SQL Injection vulnerabilities often lead to data breaches and compromise of system integrity, similar to other database-related exploits.
CVE-2026-3330 was published on 2026-04-17. Its severity is currently assessed as Medium (CVSS 4.9). There are no known public exploits or active campaigns targeting this vulnerability at the time of writing. The vulnerability is not listed on CISA Known Exploited Vulnerabilities (KEV) catalog. The EPSS score is pending evaluation, indicating an uncertain probability of exploitation.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-3330 is to immediately upgrade the Form Maker by 10Web plugin to version 1.15.41 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These may include restricting access to the vulnerable parameters (ipsearch, startdate, enddate, usernamesearch, useremail_search) through a web application firewall (WAF) or proxy server. Carefully review and restrict user roles and permissions to limit the potential impact of a successful attack. Monitor WordPress logs for suspicious SQL queries that might indicate exploitation attempts. After upgrading, confirm the fix by attempting to trigger the vulnerable parameters and verifying that the queries are properly sanitized.
Update to version 1.15.41, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
It's a SQL Injection vulnerability in the Form Maker by 10Web WordPress plugin, allowing authenticated attackers to potentially extract data.
If you're using Form Maker by 10Web version 1.15.40 or earlier, you are vulnerable.
Upgrade the Form Maker by 10Web plugin to version 1.15.41 or later. Consider WAF rules as a temporary workaround.
Currently, there are no known public exploits or active campaigns targeting this vulnerability.
Refer to the official 10Web advisory and the NVD entry for CVE-2026-3330 for detailed information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.