CVE-2022-3300 is a high-severity SQL Injection vulnerability identified in the WordPress plugin 'Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder' affecting versions prior to 1.15.6. The vulnerability arises because the plugin fails to properly sanitize and escape user-supplied input before incorporating it into SQL queries. Specifically, a parameter used in the plugin's database operations is not adequately validated, allowing an attacker with high privileges—such as an administrator—to inject malicious SQL code. This injection can lead to unauthorized data access, modification, or deletion, compromising the confidentiality, integrity, and availability of the affected WordPress site's data. The CVSS 3.1 base score of 7.2 reflects the vulnerability's network attack vector, low attack complexity, requirement for high privileges, no user interaction, and its impact on confidentiality, integrity, and availability. Although exploitation requires administrative privileges, the vulnerability is critical because it allows an attacker who already has elevated access to escalate their control, potentially leading to full database compromise, data leakage, or site defacement. No known public exploits have been reported in the wild as of the publication date, but the vulnerability's nature and impact make it a significant risk for affected sites. The lack of a patch link suggests that users should verify that they have updated to version 1.15.6 or later, where the issue is resolved.

For European organizations using WordPress sites with the vulnerable Form Maker plugin, this vulnerability poses a significant risk. If an attacker gains administrative access—through phishing, credential theft, or other means—they could exploit this SQL injection to manipulate the site's database, leading to data breaches involving sensitive customer or business information. This could result in regulatory non-compliance under GDPR, financial losses, reputational damage, and operational disruptions. Additionally, compromised sites could be used to distribute malware or conduct further attacks within an organization's network. The impact is particularly severe for organizations relying on WordPress for customer-facing portals, e-commerce, or internal applications where data integrity and availability are critical.

European organizations should immediately verify the version of the Form Maker by 10Web plugin installed on their WordPress sites and upgrade to version 1.15.6 or later, where the vulnerability is fixed. Beyond patching, organizations should implement strict access controls to limit administrative privileges only to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. Regularly auditing user accounts and plugin usage can help detect unauthorized access. Employing Web Application Firewalls (WAFs) configured to detect and block SQL injection attempts can provide an additional layer of defense. Organizations should also maintain regular backups of their WordPress sites and databases to enable rapid recovery in case of compromise. Finally, monitoring logs for unusual database queries or administrative actions can aid in early detection of exploitation attempts.