How is CVE-2026-39502 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, meaning an attacker can send a crafted request from the public internet or any network path that reaches the WordPress installation. Authentication (not-required): No account, session, or credentials of any kind are needed to trigger the injection; the vulnerable code path is reachable anonymously. Victim interaction (not-required): The attacker sends a direct request to the server and no user action or social engineering is required to complete the attack. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and repeatable without needing to satisfy any race condition, specific memory layout, or environmental prerequisite.

What is the impact of CVE-2026-39502?

An attacker can read arbitrary rows from the WordPress database, including user credentials, session tokens, and any data submitted through forms. Because the injection operates in a Changed scope (S:C), impact can extend beyond the WordPress application itself to other data stores or services sharing the same database server. Service availability is partially affected; the attacker can issue resource-intensive queries that degrade or interrupt database responsiveness.

Back to search

CRITICALCVE-2026-39502Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-39502: WordPress Form Maker by 10Web plugin <= 1.15.38 - SQL Injection vulnerability

Q: What is CVE-2026-39502?

This is an unauthenticated SQL injection vulnerability in the Form Maker by 10Web WordPress plugin, affecting all versions up to and including 1.15.38. An attacker can reach the vulnerable endpoint over the network with no login or credentials required. Successful exploitation gives an attacker read access to the underlying database and limited ability to disrupt service availability. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-39502 patched?

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment 10Web ships a remediated release. In the interim, customers with auto-remediation enabled will receive advisory-level notifications with compensating-control guidance attached to each affected image finding.

Unauthenticated SQL Injection in Form Maker by 10Web <= 1.15.38 versions.

CVSS v3.1: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is an unauthenticated SQL injection vulnerability in the Form Maker by 10Web WordPress plugin, affecting all versions up to and including 1.15.38. An attacker can reach the vulnerable endpoint over the network with no login or credentials required. Successful exploitation gives an attacker read access to the underlying database and limited ability to disrupt service availability. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including the Patchstack advisory feed, within minutes of publication and matched against customer images in registries and CI/CD pipelines. Coverage extends to custom-built images that bundle this plugin.

Available

Triage

HarborGuard scores this finding at CVSS 9.3 Critical (v3.1) and weights it against each customer environment's compliance policy to determine urgency and routing. Triage results are delivered to the inbox or ticketing integration configured for the affected team within each customer organization.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment 10Web ships a remediated release. In the interim, customers with auto-remediation enabled will receive advisory-level notifications with compensating-control guidance attached to each affected image finding.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, meaning an attacker can send a crafted request from the public internet or any network path that reaches the WordPress installation.
AuthenticationNot required
No account, session, or credentials of any kind are needed to trigger the injection; the vulnerable code path is reachable anonymously.
Victim interactionNot required
The attacker sends a direct request to the server and no user action or social engineering is required to complete the attack.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and repeatable without needing to satisfy any race condition, specific memory layout, or environmental prerequisite.

Blast Radius

An attacker can read arbitrary rows from the WordPress database, including user credentials, session tokens, and any data submitted through forms.
Because the injection operates in a Changed scope (S:C), impact can extend beyond the WordPress application itself to other data stores or services sharing the same database server.
Service availability is partially affected; the attacker can issue resource-intensive queries that degrade or interrupt database responsiveness.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for this CVE as of publication, HarborGuard monitors the Patchstack advisory on every ingest cycle and will trigger a patched-image rebuild automatically once 10Web releases a fix. For environments with auto-remediation enabled, the rebuild, regression test run, and a PR against affected workloads will be initiated without manual intervention the moment a fix version is confirmed. In the meantime, HarborGuard surfaces this finding as Critical in every affected image scan and supports attaching compensating-control annotations directly to the finding, such as network-policy rules that restrict inbound access to the WordPress installation, web application firewall rules targeting SQLi patterns on form submission endpoints, and feature-flag or plugin-deactivation guidance for teams whose compliance policy requires immediate risk reduction. Where compliance policy permits automated advisory tracking, affected images are flagged for re-evaluation on each new ingest run so no new fix goes undetected.

See how HarborGuard automates this

Affected packages

10Web / Form Maker by 10Web
≤ 1.15.38

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

References

patchstack.com

Metrics

Get notified