CVE-2026-3359: WordPress Form Maker Plugin SQLi Exposes Data
The Form Maker by 10Web plugin for WordPress, a widely used drag-and-drop contact form builder, is vulnerable to SQL Injection via the ‘inputs’ parameter, according to the National Vulnerability Database. This flaw, tracked as CVE-2026-3359, affects versions up to and including 1.15.42.
The vulnerability stems from insufficient escaping on user-supplied parameters and a lack of proper preparation in the existing SQL queries. This critical oversight allows unauthenticated attackers to append arbitrary SQL queries, potentially extracting sensitive information directly from the WordPress database. The National Vulnerability Database has assigned this a CVSS score of 7.5 (HIGH).
This isn’t just about defacement; it’s about data exfiltration. Attackers can pull user details, configuration data, and potentially even hashed credentials. For organizations relying on this plugin, the risk of a breach is substantial, particularly given the ease with which unauthenticated attackers can exploit SQLi.
What This Means For You
- If your organization uses the Form Maker by 10Web plugin for WordPress, check your version immediately. Patch to the latest available version beyond 1.15.42. Assume compromise if you were running vulnerable versions and audit your database logs for unusual access patterns or large data exports. This is a direct path for unauthenticated attackers to sensitive data.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-3359: WordPress Form Maker SQL Injection via 'inputs' parameter
title: CVE-2026-3359: WordPress Form Maker SQL Injection via 'inputs' parameter
id: scw-2026-05-05-ai-1
status: experimental
level: high
description: |
Detects attempts to exploit CVE-2026-3359 in the WordPress Form Maker plugin. This rule specifically looks for the 'action=submit_form' and 'inputs=' parameters in the URI query string, which are indicative of the SQL injection vulnerability. The 'inputs' parameter is vulnerable due to insufficient escaping, allowing attackers to inject malicious SQL code to extract data.
author: SCW Feed Engine (AI-generated)
date: 2026-05-05
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-3359/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- 'action=submit_form'
- 'form_id='
- 'inputs='
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-3359 | SQLi | Form Maker by 10Web plugin for WordPress |
| CVE-2026-3359 | SQLi | versions up to, and including, 1.15.42 |
| CVE-2026-3359 | SQLi | vulnerable parameter: 'inputs' |
| CVE-2026-3359 | SQLi | CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 05, 2026 at 12:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-6322: fast-uri Vulnerability Enables URI Authority Hijacking
CVE-2026-6322 — fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined...
CVE-2025-42611 — RouterOS provides various services that rely on correct
CVE-2025-42611 — RouterOS provides various services that rely on correct verification of client and server certificates to secure confidentiality and integrity of communications. This includes...
CVE-2026-3601 — The User Registration & Membership plugin for WordPress is
CVE-2026-3601 — The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the...