Critical WordPress Plugin Vulnerability Affects Millions of Sites

Security researchers have disclosed a critical SQL injection vulnerability in FormCraft, one of the most widely installed WordPress form builder plugins with over 4.7 million active installations. Tracked as CVE-2026-2847 with a CVSS score of 9.8, the flaw allows unauthenticated attackers to execute arbitrary SQL queries against the WordPress database, potentially extracting sensitive data, modifying content, or achieving full site compromise.

The vulnerability was responsibly disclosed to the plugin developer on February 14, 2026, and a patched version (3.9.2) was released on March 5. However, exploitation was detected in the wild as early as March 3, two days before the patch became available, suggesting that attackers independently discovered the flaw or gained access to details before public disclosure.

Vulnerability Details

The vulnerability exists in the plugin's form submission handler, specifically in the AJAX endpoint responsible for processing form entries with filtering and search functionality. User-supplied input passed through the fc_search parameter is incorporated into SQL queries without adequate sanitization or parameterized query usage.

An unauthenticated attacker can craft a malicious request to the wp-admin/admin-ajax.php endpoint with a specially crafted fc_search value containing SQL injection payloads. Because the vulnerable function runs with the database privileges of the WordPress installation, successful exploitation grants full read and write access to all database tables.

# Simplified example of the vulnerable pattern (do not use for exploitation)
# The fc_search parameter is passed directly into a WHERE clause
# without proper escaping or prepared statement usage
$query = "SELECT * FROM wp_fc_submissions WHERE form_data LIKE '%" . $_POST['fc_search'] . "%'";

The impact of successful exploitation includes:

• Data extraction: Attackers can read the entire WordPress database, including user credentials (hashed passwords), email addresses, form submission data, and any other stored information.
• Privilege escalation: By modifying the wp_users table, attackers can change administrator passwords or create new admin accounts.
• Content manipulation: Database write access allows modification of posts, pages, and plugin settings.
• Remote code execution: In many configurations, database access can be leveraged to achieve code execution through techniques such as modifying active plugin code stored in the database or injecting malicious content into serialized options.

Exploitation in the Wild

Multiple security firms have confirmed active exploitation of this vulnerability. The observed attack patterns fall into two categories:

Automated scanning and data extraction: The majority of observed attacks are automated scans that probe for the presence of the vulnerable plugin and, upon finding it, execute SQL injection payloads designed to extract the wp_users table. This data is exfiltrated through time-based or error-based blind SQL injection techniques, as the endpoint does not directly return query results in the response.

Targeted site compromise: A smaller number of attacks involve more sophisticated payloads that create backdoor administrator accounts, inject web shells into the database, or modify site content to redirect visitors to malicious pages. These attacks appear to be manually directed rather than fully automated.

How to Check If You Are Affected

Determining your exposure involves several checks:

• Check if the plugin is installed: In your WordPress admin panel, navigate to Plugins and search for FormCraft. If it is not installed, you are not affected by this specific vulnerability.
• Check the version: If FormCraft is installed, verify the version number. Versions 2.0 through 3.9.1 are vulnerable. Version 3.9.2 and later contain the fix.
• Check for signs of compromise: Even if you have already updated, the vulnerability may have been exploited before the patch was applied. Review your user accounts for unfamiliar administrators, check recent file modifications for unexpected changes, and review server logs for the indicators described above.

For site administrators managing multiple WordPress installations, the WP-CLI tool can expedite this process:

# Check FormCraft version across multiple sites
wp plugin list --name=formcraft --fields=name,version,status

# List all administrator accounts to check for unauthorized additions
wp user list --role=administrator --fields=ID,user_login,user_email,user_registered

# Search access logs for suspicious requests (adjust path as needed)
grep "fc_search_entries" /var/log/apache2/access.log | grep -iE "union|select|sleep|benchmark"

Patching Steps

The immediate priority is updating the plugin to version 3.9.2 or later. The following steps are recommended:

• Back up your site: Before making any changes, create a full backup of both the WordPress files and database. This provides a recovery point if anything goes wrong during the update.
• Update the plugin: Navigate to Plugins in the WordPress admin panel, locate FormCraft, and click Update. Alternatively, use WP-CLI: wp plugin update formcraft.
• Verify the update: Confirm that the installed version is now 3.9.2 or later. Test form functionality to ensure the update has not broken anything.
• Audit for compromise: After patching, perform the compromise checks described above. If you find evidence of exploitation, treat it as a security incident requiring full investigation and remediation.
• Reset credentials: If there is any possibility the site was compromised before patching, reset all WordPress administrator passwords, regenerate WordPress security salts in wp-config.php, and revoke all active sessions.

WAF Rules as Temporary Mitigation

For sites where immediate patching is not feasible, web application firewall rules can provide temporary protection. Several major WAF providers, including Cloudflare, Sucuri, and Wordfence, have deployed virtual patches for this vulnerability.

If you manage your own WAF, the following ModSecurity rule provides basic protection against the most common exploitation patterns:

# ModSecurity rule to block SQL injection via fc_search parameter
# This is a temporary mitigation — patching remains essential
SecRule ARGS:fc_search "@detectSQLi" \
    "id:100001,\
    phase:2,\
    deny,\
    status:403,\
    log,\
    msg:'Potential SQL injection in FormCraft search parameter',\
    severity:'CRITICAL'"

This incident is another reminder of the risks inherent in WordPress's plugin ecosystem. The platform's extensibility is one of its greatest strengths, but each plugin represents additional attack surface maintained by third-party developers with varying security practices. Organizations running WordPress should maintain plugin inventories, establish update policies, subscribe to vulnerability feeds, and consider reducing their plugin footprint to only those that are genuinely necessary.

For sites that collected sensitive data through FormCraft forms, this vulnerability may trigger data breach notification obligations depending on jurisdiction. Consult with legal counsel if there is any indication that form submission data may have been accessed by unauthorized parties.