{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/form-maker-by-10web/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-3359"}],"_cs_exploited":false,"_cs_products":["Form Maker by 10Web"],"_cs_severities":["high"],"_cs_tags":["sql-injection","wordpress","plugin"],"_cs_type":"advisory","_cs_vendors":["10Web"],"content_html":"\u003cp\u003eThe Form Maker by 10Web plugin, a WordPress plugin designed for creating mobile-friendly contact forms, is susceptible to SQL Injection attacks. This vulnerability, identified as CVE-2026-3359, affects versions up to and including 1.15.42. The root cause lies in the insufficient escaping of user-supplied input via the \u0026lsquo;inputs\u0026rsquo; parameter and the lack of adequate preparation in the existing SQL query. This flaw enables unauthenticated attackers to inject malicious SQL queries, potentially leading to the extraction of sensitive data from the WordPress database. Successful exploitation allows unauthorized access to potentially sensitive information, impacting the confidentiality of the WordPress site\u0026rsquo;s data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using a vulnerable version (\u0026lt;= 1.15.42) of the Form Maker by 10Web plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting an endpoint that utilizes the \u0026lsquo;inputs\u0026rsquo; parameter.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a SQL injection payload within the \u0026lsquo;inputs\u0026rsquo; parameter, designed to bypass input validation.\u003c/li\u003e\n\u003cli\u003eThe WordPress application processes the HTTP request, and the injected SQL code is passed to the database server without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe database server executes the attacker-supplied SQL code along with the intended query, leading to unintended database operations.\u003c/li\u003e\n\u003cli\u003eThe attacker-controlled SQL query extracts sensitive information, such as user credentials, database structure, or other confidential data.\u003c/li\u003e\n\u003cli\u003eThe extracted data is returned to the attacker as part of the HTTP response, or potentially stored elsewhere for later retrieval.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL Injection vulnerability can lead to the unauthorized disclosure of sensitive information stored in the WordPress database. This could include user credentials, personal data, or other confidential business information. The impact includes potential data breaches, reputational damage, and legal repercussions. While specific victim counts are unavailable, any WordPress site running a vulnerable version of the plugin is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Form Maker by 10Web plugin to the latest version to remediate CVE-2026-3359.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Form Maker SQL Injection Attempt\u0026rdquo; to your SIEM to detect potential exploitation attempts targeting the \u0026lsquo;inputs\u0026rsquo; parameter.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing SQL syntax within the \u0026lsquo;inputs\u0026rsquo; parameter to identify and block malicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-22T12:00:00Z","date_published":"2024-01-22T12:00:00Z","id":"/briefs/2024-01-form-maker-sqli/","summary":"The Form Maker by 10Web WordPress plugin is vulnerable to SQL Injection via the 'inputs' parameter in versions up to 1.15.42, allowing unauthenticated attackers to extract sensitive information from the database.","title":"SQL Injection Vulnerability in Form Maker by 10Web WordPress Plugin","url":"https://feed.craftedsignal.io/briefs/2024-01-form-maker-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed — Form Maker by 10Web","version":"https://jsonfeed.org/version/1.1"}