External risk intelligence

Form Maker by 10Web Unauthenticated SQL Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-39502

An unauthenticated SQL injection vulnerability exists in the Form Maker plugin, potentially allowing attackers to access sensitive data from a website's database. This critical issue affects public-facing websites, and organizations should confirm if they use the affected plugin and assess its exposure.

4Halo Surface Signal

SQL Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-39502

This vulnerability exists in a WordPress form-building plugin. Such plugins are typically deployed to create public-facing web forms on websites, making the vulnerable component directly reachable by any user interacting with the website over the internet.

PCI scan relevance

PCI Relevance for CVE-2026-39502

Yes

CVE-2026-39502 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This SQL injection vulnerability is likely to cause a PCI ASV scan failure due to the nature of the vulnerability.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical vulnerability in a widely used WordPress form-building plugin. The issue, an unauthenticated SQL injection, could allow an attacker to access sensitive data if the plugin is present on an organization's website. The primary concern is to confirm if this specific plugin and version are in use and exposed.

  • Unauthenticated SQL injection in a form plugin.
  • Critical severity; impacts public-facing websites.
  • Confirm use and exposure for risk assessment.

Attack Path

How an attacker could exploit the issue

An attacker could target a website using the vulnerable Form Maker plugin, leveraging its unauthenticated SQL injection flaw. This would allow them to potentially access or manipulate sensitive data stored in the website's database, which could lead to unauthorized information disclosure or disruption of services.

  • No authentication is required.
  • An attacker can submit a specially crafted request.
  • Risk of data exposure and service disruption.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to inject malicious SQL code into the affected plugin. This could potentially lead to unauthorized access or manipulation of the website's database when the form functionality is used.

  • Website database access.
  • Unauthenticated SQL injection.
  • Unauthorized data access or modification.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This SQL injection vulnerability in the Form Maker plugin likely impacts application owners who manage WordPress sites and their associated plugins. The first step is to identify all instances of this plugin across your environment, assess their exposure and business criticality, and then confirm the accountable owner for remediation.

  • Identify affected WordPress sites and plugin owners.
  • Verify plugin reachability and business impact.
  • Plan remediation based on risk assessment.

Frequently asked questions

What is the Form Maker by 10Web plugin?

Form Maker by 10Web is a software component designed for WordPress websites. Users install this plugin to build and embed interactive web forms, such as contact forms, surveys, or registration pages, directly onto their site's pages. It acts as an interface that manages how data provided by visitors is collected and stored within the website's underlying database.

What does SQL injection mean for CVE-2026-39502?

This vulnerability is classified as CWE-89, or Improper Neutralization of Special Elements used in an SQL Command. In plain terms, the plugin fails to properly filter the input it receives. Because of this, an attacker can input malicious database commands into form fields. The system then inadvertently runs these commands, potentially allowing unauthorized parties to view or interact with the information stored in the website's database.

How does an attacker trigger this vulnerability?

The flaw is triggered when an attacker submits a specially crafted request to the vulnerable form plugin. Because this is an unauthenticated vulnerability, the attacker does not need a username, password, or any prior access to the website to attempt the attack. Simply interacting with a reachable form on the site is sufficient; the vulnerability cannot be triggered by standard, legitimate user inputs that do not contain malicious SQL code.

Is my website at risk from this CVE?

According to Halo Surface Signal, this vulnerability is considered a high priority because it resides in a form-building plugin. These plugins are intentionally designed to be public-facing, meaning they are accessible to anyone visiting your website via the internet. If you use an affected version of Form Maker by 10Web on a public site, the vulnerable component is likely reachable by an external attacker, increasing the relevance of this issue.

What should I do if I use Form Maker by 10Web?

Begin by auditing your WordPress environment to identify every site where this specific plugin version is installed. Once you have a complete inventory, determine which sites are public-facing and categorize them by their business impact. Coordinate with the individuals or teams responsible for managing those specific sites to ensure they are aware of the risk and prepared to apply necessary security updates as they become available.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished