Plateforme
wordpress
Composant
form-maker
Corrigé dans
1.15.41
1.15.41
CVE-2026-3330 is a SQL Injection vulnerability affecting the Form Maker by 10Web plugin for WordPress. This flaw allows authenticated attackers, specifically administrators, to potentially extract sensitive data from the database. The vulnerability exists in versions up to 1.15.40 due to improper input validation and query construction. A patch is available in version 1.15.41.
An attacker exploiting CVE-2026-3330 could leverage SQL Injection to extract sensitive information stored within the Form Maker plugin's database. This could include user data collected through forms, administrative credentials, or other confidential information. Successful exploitation requires authentication as an administrator within the WordPress site. The blast radius is limited to the data stored within the Form Maker plugin's database; however, the potential for data exfiltration poses a significant risk. While no direct precedent is immediately apparent, SQL Injection vulnerabilities often lead to data breaches and compromise of system integrity, similar to other database-related exploits.
CVE-2026-3330 was published on 2026-04-17. Its severity is currently assessed as Medium (CVSS 4.9). There are no known public exploits or active campaigns targeting this vulnerability at the time of writing. The vulnerability is not listed on CISA Known Exploited Vulnerabilities (KEV) catalog. The EPSS score is pending evaluation, indicating an uncertain probability of exploitation.
Statut de l'Exploit
EPSS
0.02% (percentile 4%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-3330 is to immediately upgrade the Form Maker by 10Web plugin to version 1.15.41 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These may include restricting access to the vulnerable parameters (ipsearch, startdate, enddate, usernamesearch, useremail_search) through a web application firewall (WAF) or proxy server. Carefully review and restrict user roles and permissions to limit the potential impact of a successful attack. Monitor WordPress logs for suspicious SQL queries that might indicate exploitation attempts. After upgrading, confirm the fix by attempting to trigger the vulnerable parameters and verifying that the queries are properly sanitized.
Mettre à jour vers la version 1.15.41, ou une version corrigée plus récente
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
It's a SQL Injection vulnerability in the Form Maker by 10Web WordPress plugin, allowing authenticated attackers to potentially extract data.
If you're using Form Maker by 10Web version 1.15.40 or earlier, you are vulnerable.
Upgrade the Form Maker by 10Web plugin to version 1.15.41 or later. Consider WAF rules as a temporary workaround.
Currently, there are no known public exploits or active campaigns targeting this vulnerability.
Refer to the official 10Web advisory and the NVD entry for CVE-2026-3330 for detailed information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.