[HIGH] CVE-2026-3359 — CVSS 7.5 (May 5, 2026)

A HIGH-severity vulnerability identified as CVE-2026-3359 has been published on May 5, 2026 with a CVSS base score of 7.5. This security advisory provides a detailed breakdown of the vulnerability, its potential impact, weakness classification, and actionable steps to protect your systems.

Vulnerability Details

CVE ID: CVE-2026-3359
Severity: HIGH
CVSS Score: 7.5
Published: May 5, 2026
Weakness (CWE): CWE-89

Technical Description

The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to SQL Injection via the 'inputs' parameter in versions up to, and including, 1.15.42 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Potential Impact

If exploited, this high-severity vulnerability could allow an attacker to compromise sensitive data confidentiality. Organizations running affected software should treat this as a priority remediation item.

Recommended Action

No official patch is available yet. Until one is released:

1. Monitor the official NVD page and vendor channels for patch announcements.
2. Restrict access to the affected system or service where possible.
3. Apply network-level mitigations such as firewall rules or WAF policies.
4. Enable logging and alerting for anomalous activity related to this vulnerability.
5. Review your incident response plan in case of active exploitation.

View full details on NVD →

References

• Reference 1
• Reference 2

Related Security Advisories

• [CRITICAL] CVE-2026-3325 — CVSS 10.0 (April 29, 2026) — CRITICAL / CVSS 10.0
• [CRITICAL] CVE-2026-5964 — CVSS 9.8 (April 20, 2026) — CRITICAL / CVSS 9.8
• [HIGH] CVE-2026-2052 — CVSS 8.8 (May 2, 2026) — HIGH / CVSS 8.8