CVE-2026-3359 WordPress Form Maker by 10Web Plugin <= 1.15.42 is vulnerable to a high priority SQL Injection
Critical SQL Injection (CVE-2026-3359) in WordPress Form Maker by 10Web Overview Published: 2026-05-05 CVE-ID: CVE-2026-3359 CVSS: 9.8 Critical Affected Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder Affected Versions: <= 1.15.42 Patched Version: 1.15.43 CWE: CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) Description The Form Maker by 10Web plugin for WordPress is vulnerable to SQL Injection via the ‘inputs’ parameter. In versions up to and including 1.15.42, the plugin fails to sufficiently sanitize user-supplied data before incorporating it into SQL queries. This allows unauthenticated attackers to append malicious SQL commands to existing queries, potentially leading to the extraction of sensitive database information. ...