01 · The Real Story
This is a pickable side door on a smaller building, not a blown front gate
CVE-2026-3359 is an unauthenticated SQL injection in the WordPress plugin *Form Maker by 10Web* via the inputs parameter, affecting versions up to and including 1.15.42 and fixed in 1.15.43. In plain terms, a remote attacker can send crafted web requests to a site running the vulnerable plugin and manipulate backend SQL queries to read data out of the WordPress database.
The vendor's 7.5/HIGH baseline is directionally fair because the bug is remote, unauthenticated, and reachable through a public web stack. Where reality pulls it down from the edge of critical is deployment friction: only sites running this specific plugin are exposed, not every WordPress site; the most likely outcome is database disclosure rather than direct code execution; and current threat signals are weak with no KEV listing, no verified in-the-wild exploitation, and a very low EPSS.
"Internet-facing unauthenticated SQLi still matters, but the blast radius is narrower than a generic 7.5 suggests."
02 · The Attack Path
4 steps from start to impact.
STEP 01
Fingerprint the plugin
An attacker first confirms that the target WordPress site is running
form-maker, usually by probing for plugin assets, readme files, version metadata, or HTML/JS references. Commodity tooling like WPScan or passive enumeration scripts is enough here; no exploit code is needed yet.Conditions required:
- Target must be a WordPress site
- The
Form Maker by 10Webplugin must be installed - Plugin indicators must be remotely discoverable or inferable
Where this breaks in practice:
- Only the plugin's installed base is exposed, not the whole WordPress population
- Some sites hide plugin paths or serve through CDN/WAF layers that reduce easy fingerprinting
- Internal-only WordPress instances are not in play from the internet
Detection/coverage: External attack-surface scanners can usually identify WordPress and sometimes the plugin slug, but plugin/version accuracy is inconsistent unless readme files or static assets are exposed.
STEP 02
Reach the vulnerable request flow
The attacker has to find a live endpoint that processes the
inputs parameter through the vulnerable code path. In practice this is where generic SQLi meets application reality: the plugin must actually be exposed in a way that lets the attacker hit the relevant form-processing logic.Conditions required:
- A vulnerable form or request handler must be internet-reachable
- The site must not block malformed input before it reaches PHP
- The request must traverse to the vulnerable code path using
inputs
Where this breaks in practice:
- Not every site running the plugin exposes the same forms or handlers publicly
- Some reverse proxies and managed WAFs will kill obvious SQLi payloads before application processing
- Caching, bot controls, and custom routing can break generic exploit attempts
Detection/coverage: DAST scanners and WAF telemetry may flag suspicious requests containing SQL metacharacters in
inputs, but coverage depends on the exact endpoint exposure and WAF tuning.STEP 03
Exploit with commodity SQLi tooling
Once the parameter is confirmed reachable, the attacker can weaponize with
sqlmap or equivalent manual payloads to test boolean, error-based, or time-based injection and enumerate database structure. The public description indicates data extraction from existing queries, making sqlmap the obvious tool choice rather than a bespoke exploit chain.Conditions required:
- The backend query must remain injectable in the target deployment
- The database response behavior must allow inference or direct extraction
- The WAF or rate controls must not reliably block repeated probing
Where this breaks in practice:
- Blind extraction can be slow and noisy
- Managed hosting stacks often add WAF rules that stop stock
sqlmapsignatures - DB account permissions and query shape may limit what can actually be extracted
Detection/coverage: This step is fairly visible in HTTP logs: repeated requests, payload encoding variations, timing probes, and characteristic
sqlmap behavior. Good WAFs and web logs should see it.STEP 04
Pull useful WordPress data
The realistic payoff is theft of WordPress-resident data: user records, password hashes, plugin-stored submissions, email addresses, and site configuration secrets sitting in the same database. That can support follow-on phishing, credential cracking, or deeper access if sensitive form data or poorly protected secrets are present.
Conditions required:
- Valuable data must exist in the WordPress database
- The injection must expose tables of interest such as
wp_users,wp_options, or plugin submission tables - Attackers must be able to exfiltrate results without being blocked
Where this breaks in practice:
- This is not direct RCE by itself
- Password hashes still need cracking or credential reuse to become admin access
- Many marketing or brochure sites simply do not hold high-value data
Detection/coverage: Database and web logs may show unusually broad table enumeration or long-running requests, but most defenders will only see the web side unless the DB is instrumented.
03 · Intelligence Metadata
The supporting signals.
| In-the-wild status | No verified exploitation evidence found in the checked sources, and the CVE is not listed in CISA KEV. |
|---|---|
| Proof-of-concept availability | I did not find a named public GitHub/Exploit-DB PoC for this CVE. That said, this is still commodity-weaponizable with sqlmap once a reachable vulnerable endpoint is identified. |
| EPSS | 0.00091 from the user-supplied intel, i.e. roughly 0.09% 30-day exploitation probability. A secondary aggregator reports about P21 percentile; treat that percentile as unverified secondary context. |
| KEV status | Not KEV-listed in the CISA Known Exploited Vulnerabilities Catalog source checked. |
| CVSS vector reality check | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N is technically plausible: remote, no auth, no clicks, and primarily confidentiality impact rather than host takeover. |
| Affected versions | <= 1.15.42 according to NVD, Wordfence, WPScan, and Patchstack. |
| Fixed version | 1.15.43 is the first patched release. The WordPress.org changelog for 1.15.43 says Security issue fixed. |
| Exposure population | WordPress.org shows 30,000+ active installations. That's meaningful, but still a small plugin-specific population compared with ecosystem-wide WordPress issues. |
| Scanning / exposure data | There is no reliable internet-wide Shodan/Censys fingerprint for this plugin+version combination. Practical exposure assessment should come from your own ASM, WordPress inventories, and edge logs rather than search-engine counts. |
| Disclosure and reporter | Disclosed 2026-05-05. Wordfence credits researcher type5afe. |
04 · The Call
noisgate verdict.
Final Verdict
= UNCHANGED to HIGH (7.2/10)
The decisive factor is attacker position: this is still an *unauthenticated remote* bug on a public web stack, so exploitation is well within commodity tradecraft once a vulnerable site is found. What keeps it out of CRITICAL is the narrower reachable population and the fact that the expected outcome is database disclosure, not immediate code execution or estate-wide compromise.
HIGH Affected version range and fixed version
MEDIUM Real-world exploitability across typical enterprise deployments
MEDIUM Absence of public exploitation evidence
Why this verdict
- Baseline stays high: unauthenticated remote SQLi on an internet-facing WordPress plugin is real attacker work, not theoretical lab trivia.
- Downward pressure 1 — exposed population is narrow: the bug only matters where
Form Maker by 10Webis actually installed, and WordPress.org shows about30,000+active installs, not mass ecosystem reach. - Downward pressure 2 — reachable flow is narrower than CVSS assumes: the attacker still needs a publicly reachable form/request path that feeds the vulnerable
inputsparameter; some deployments will not present that cleanly. - Downward pressure 3 — modern edge controls should catch commodity attempts: a tuned WAF, managed WordPress edge service, or reverse proxy often breaks stock
sqlmaptraffic and obvious SQL metacharacter payloads. - Downward pressure 4 — impact is usually data theft, not instant server takeover: this CVE is about reading from the database; any move from stolen data to admin control or broader compromise requires follow-on success.
- Downward pressure 5 — threat intel is cold: no KEV entry, no verified campaign reporting, and a very low EPSS all argue against emergency-all-hands prioritization.
Why not higher?
This is not a generic WordPress core bug with massive reach, and the current record does not show active exploitation or KEV status. More importantly, the vulnerability description supports data extraction, not direct RCE, so the blast radius is materially smaller than internet-facing code execution flaws.
Why not lower?
Unauthenticated remote SQLi on a public web application is still a serious operator problem. If you do run this plugin on an exposed site, the barrier to entry is low, the tooling is mature, and even 'just' database disclosure can create credential, privacy, and regulatory pain.
05 · Compensating Control
What to do — in priority order.
- Block exploit strings at the edge — Deploy or tune WAF/reverse-proxy rules to inspect the
inputsparameter for SQL metacharacters, stacked-query patterns, boolean/time-based probes, andsqlmap-style traffic. For a HIGH verdict, put this in place within 30 days if patching cannot be completed immediately. - Inventory every
form-makerinstance — Use WordPress management tooling, file-system search, package inventory, or ASM to find every site running the plugin and mark whether it is internet-facing. Do this within 30 days so exposed systems are not hidden in the long tail. - Disable or remove unused forms — If the plugin is installed but not business-critical, disable the plugin or unpublish public forms to cut the reachable attack surface. Treat this as a within-30-days containment action for exposed sites.
- Restrict reachability where possible — For admin, staging, or partner-only WordPress sites, place the site behind VPN, allowlists, identity-aware proxy, or basic edge ACLs so unauthenticated internet traffic never reaches the vulnerable flow. For a HIGH verdict, do this within 30 days on non-public use cases.
- Watch web logs for SQLi patterns — Alert on
inputs=requests containing quotes, comments,UNION,SLEEP,BENCHMARK, encoding tricks, or bursty parameter fuzzing from the same source. Stand this up within 30 days to catch exploitation attempts while patch rollouts complete.
What doesn't work
MFAdoes not help because the bug is unauthenticated.CAPTCHAis not a reliable fix; the vulnerable code path can still be hit if requests reach the handler, and attackers automate around weak front-end checks.Updating WordPress corealone does not remediate a vulnerable plugin version.EDR on the web serveris not a primary control here because the main outcome is database disclosure over normal HTTP, not necessarily malware execution.
06 · Verification
Crowdsourced verification payload.
Run this on the target WordPress host or against a mounted web root. Invoke it as bash check_form_maker_cve_2026_3359.sh /var/www/html and give it read access to the plugin files; root is not required unless the web root is permission-restricted.
#!/usr/bin/env bash
# check_form_maker_cve_2026_3359.sh
# Detects whether WordPress Form Maker by 10Web is vulnerable to CVE-2026-3359
# Usage: bash check_form_maker_cve_2026_3359.sh /path/to/wordpress
# Exit codes:
# 0 = PATCHED
# 1 = VULNERABLE
# 2 = UNKNOWN
set -u
TARGET="${1:-}"
PLUGIN_DIR=""
VERSION=""
PATCHED_VERSION="1.15.43"
if [[ -z "$TARGET" ]]; then
echo "UNKNOWN - missing WordPress path argument"
exit 2
fi
if [[ ! -d "$TARGET" ]]; then
echo "UNKNOWN - target path does not exist: $TARGET"
exit 2
fi
PLUGIN_DIR="$TARGET/wp-content/plugins/form-maker"
if [[ ! -d "$PLUGIN_DIR" ]]; then
echo "UNKNOWN - form-maker plugin directory not found at $PLUGIN_DIR"
exit 2
fi
get_version_from_file() {
local file="$1"
if [[ -f "$file" ]]; then
awk -F': *' 'tolower($1)=="version" {print $2; exit}' "$file" | tr -d '\r'
fi
}
# Try common sources in order.
VERSION="$(get_version_from_file "$PLUGIN_DIR/readme.txt")"
if [[ -z "$VERSION" ]]; then
VERSION="$(get_version_from_file "$PLUGIN_DIR/form-maker.php")"
fi
if [[ -z "$VERSION" ]]; then
VERSION="$(grep -RIm1 "^[[:space:]]*Version:[[:space:]]*" "$PLUGIN_DIR" 2>/dev/null | sed -E 's/.*Version:[[:space:]]*([^[:space:]]+).*/\1/' | head -n1)"
fi
if [[ -z "$VERSION" ]]; then
echo "UNKNOWN - could not determine installed plugin version"
exit 2
fi
verlte() {
# returns 0 if $1 <= $2
[[ "$1" == "$2" ]] && return 0
local first
first=$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1)
[[ "$first" == "$1" ]]
}
vergte() {
# returns 0 if $1 >= $2
[[ "$1" == "$2" ]] && return 0
local first
first=$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1)
[[ "$first" == "$2" ]]
}
if verlte "$VERSION" "1.15.42"; then
echo "VULNERABLE - Form Maker version $VERSION is <= 1.15.42"
exit 1
fi
if vergte "$VERSION" "$PATCHED_VERSION"; then
echo "PATCHED - Form Maker version $VERSION is >= $PATCHED_VERSION"
exit 0
fi
echo "UNKNOWN - version $VERSION is in an unexpected state; verify vendor backporting or packaging"
exit 2
07 · Bottom Line
If you remember one thing.
TL;DR
Monday morning, pull a complete inventory of internet-facing WordPress sites and identify every host with
wp-content/plugins/form-maker at 1.15.42 or earlier. For this HIGH verdict, apply edge blocking, exposure reduction, or temporary disablement on any exposed instance within 30 days under the noisgate mitigation SLA, and complete the actual upgrade to 1.15.43+ within 180 days under the noisgate remediation SLA; if the plugin sits on a public customer-facing site, do not burn the full window—close it in your next normal web-app patch cycle.Sources
Peer Review
What defenders are saying.
Submit a review
attribution: handle + country only
0 flags selected · stored anonymously
Validation Results
Crowdsourced verification outputs.
Results submitted by users who ran the verification payload against their environment.