PatchSiren cyber security CVE debrief
CVE-2026-39502 10Web CVE debrief
CVE-2026-39502 is a critical vulnerability in the Form Maker by 10Web plugin for WordPress, affecting versions up to and including 1.15.38. This vulnerability, with a CVSS score of 9.3, allows unauthenticated SQL injection attacks. The vulnerability was published on [cvePublishedAt] and last modified on [cveModifiedAt].
- Vendor
- 10Web
- Product
- Form Maker by 10Web
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Users of the Form Maker by 10Web plugin, particularly those using versions <= 1.15.38, should be aware of this vulnerability and take necessary actions to mitigate the risk.
Technical summary
The vulnerability is caused by an unauthenticated SQL injection weakness in the Form Maker by 10Web plugin. This allows attackers to inject malicious SQL code without needing authentication. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L.
Defensive priority
High
Recommended defensive actions
- Update the Form Maker by 10Web plugin to a version greater than 1.15.38.
- Review and restrict access to the plugin's functionality to prevent unauthorized use.
- Monitor for suspicious activity related to SQL injection attempts.
Evidence notes
The vulnerability was reported by Patchstack, as indicated by the reference [ref-4].
Official resources
-
CVE-2026-39502 CVE record
CVE.org
-
CVE-2026-39502 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
CVE-2026-39502 was published on 2026-06-15T21:16:45.363Z and last modified on 2026-06-15T21:24:32.790Z.