VYPR
← All advisories
Critical severity9.3NVD Advisory· Published Jun 15, 2026· Updated Jun 15, 2026

CVE-2026-39502

CVE-2026-39502

Description

Unauthenticated SQL injection in Form Maker by 10Web plugin versions ≤1.15.38 allows attackers to steal database information.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Unauthenticated SQL injection in Form Maker by 10Web plugin versions ≤1.15.38 allows attackers to steal database information.

Vulnerability

The Form Maker by 10Web plugin for WordPress versions up to and including 1.15.38 contains an unauthenticated SQL injection vulnerability. The flaw exists in an unspecified parameter that does not properly sanitize user input before constructing SQL queries. No authentication is required to exploit this vulnerability, making it accessible to any remote attacker.

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the vulnerable endpoint without any prior authentication. The attack does not require any user interaction or special network position beyond internet access. The vulnerability is expected to be used in mass-exploit campaigns targeting thousands of websites simultaneously [1].

Impact

Successful exploitation allows an attacker to directly interact with the WordPress database, including but not limited to stealing sensitive information such as user credentials, personal data, and other stored content. The CVSS score of 9.3 indicates critical severity [1].

Mitigation

The vulnerability is fixed in version 1.15.39 of the plugin. Users are advised to update immediately. For those unable to update, Patchstack has issued a mitigation rule to block attacks until the update is applied [1]. No other workarounds are mentioned in the available reference.

References
  1. SQL Injection in WordPress Form Maker by 10Web Plugin

AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.