HIGHCVE-2026-39502CVSS 7.5

CVE-2026-39502: Form Maker SQL Injection – WordPress Plugin

Platform

wordpress

Component

form-maker

Fixed in

1.15.39

AI Confidence: highNVDReviewed: Apr 2026

View on NVD

Save

CVE-2026-39502 represents a SQL Injection vulnerability discovered in the Form Maker by 10Web WordPress plugin. This flaw allows unauthenticated attackers to inject malicious SQL queries, potentially leading to unauthorized access and extraction of sensitive data from the database. The vulnerability affects versions of the plugin up to and including 1.15.38. A patch is available in version 1.15.39.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

CVSS Vector

Affected Software

Componentform-maker

Vendorwordfence

Affected rangeFixed in

1.15.381.15.39

Weakness Classification (CWE)

CWE-89

Timeline

Published2026-04-08
Modified2026-04-13

How to fix

Update to version 1.15.39, or a newer patched version

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-39502?

CVE-2026-39502 is a SQL Injection vulnerability in the Form Maker by 10Web WordPress plugin. It allows attackers to inject SQL code into database queries, potentially stealing sensitive information.

Am I affected by CVE-2026-39502?

You are affected if you are using Form Maker by 10Web WordPress plugin version 1.15.38 or earlier. It is crucial to check your plugin version and update immediately if vulnerable.

How do I fix CVE-2026-39502?

The vulnerability is fixed in version 1.15.39 of the Form Maker by 10Web plugin. Update your plugin to this version or later to mitigate the risk.

NextGuard

Vulnerabilities

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: None — unauthenticated. No login or credentials needed to exploit.
User Interaction: None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity: None — no integrity impact. Attacker cannot modify data.
Availability: None — no availability impact. Service remains fully operational.

Package Information

Active installs: 30KPopular
Plugin rating: 4.5
Requires WordPress: 4.6+
Compatible up to: 6.9.4

Homepage

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free Search CVEs

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free