Attack Vectors

CVE-2026-27373 is a Medium-severity (CVSS 6.5) vulnerability affecting the WordPress plugin Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent (slug: tablesome) in versions up to and including 1.2.3.

This issue is an authenticated (Subscriber+) SQL Injection vulnerability. In practical terms, an attacker must be able to log in to your WordPress site with at least Subscriber privileges (or higher). Once authenticated, they may be able to manipulate a vulnerable input parameter to extract sensitive data from the WordPress database over the network (CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

Organizations are most exposed when they allow public self-registration, have many low-privilege accounts (customers, members, event registrants), or have a history of account compromise via password reuse or phishing. Even if only one subscriber account is compromised, it can be enough to trigger database exposure.

Security Weakness

The vulnerability is caused by insufficient escaping of a user-supplied parameter combined with a lack of sufficient preparation on an existing SQL query in Tablesome versions up to 1.2.3. This weakness can allow an authenticated attacker to append additional SQL onto an existing query.

According to the published advisory, this can be used to extract sensitive information from the database. The risk is primarily about confidentiality (data exposure) rather than availability or direct data modification.

Remediation: Update Tablesome to version 1.2.4 or a newer patched version as soon as possible. Reference: Wordfence vulnerability record. Official CVE entry: CVE-2026-27373.

Technical or Business Impacts

If exploited, this SQL Injection weakness may allow an attacker to pull sensitive records from the WordPress database. For leadership teams, this translates into a data exposure risk that can involve customer, prospect, or operational information stored in WordPress.

Common business impacts include:

• Regulatory and contractual exposure: If personal data is accessed, this can trigger notification duties and compliance investigations (depending on jurisdiction and data type).
• Brand and revenue impact: Data exposure tied to lead capture and contact workflows can reduce trust and lower conversion rates, especially if customers believe forms are not safe.
• Incident response cost: Forensics, legal review, customer communications, and hardening work often exceed the cost of routine patching.
• Secondary compromise risk: Exposed data can be used for targeted phishing, account takeover attempts, or competitive intelligence.

From a governance standpoint, treat this as a time-sensitive patching issue: even though severity is Medium, the CVSS confidentiality impact is rated High, and the required privilege level (Subscriber) is commonly attainable in real-world WordPress environments.

Similar Attacks

SQL Injection is a well-known path to data exposure and has been associated with major real-world incidents, including:

• TalkTalk (2015 cyberattack) (widely reported as involving SQL injection and resulting in significant data exposure and business fallout).
• Heartland Payment Systems (2008 data breach) (a major payment data breach, commonly cited in discussions of web application attack vectors including SQL injection).