Attack Vectors

Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent (slug: tablesome) is affected by an authenticated (Subscriber+) SQL Injection vulnerability in versions up to and including 1.2.3. Severity is described as Medium with a CVSS 6.5 score (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

From a business-risk perspective, the primary attack path is not a drive-by website visit—it assumes an attacker can log in with at least a Subscriber-level account. That access could come from credential reuse, phishing, shared credentials, weak passwords, or an unrelated compromise that results in a low-privilege WordPress account.

Once logged in, the attacker can exploit a vulnerable, user-supplied parameter to manipulate database queries. Because the vulnerability is remotely reachable over the network and does not require user interaction, the key gating factor is simply having that authenticated account.

Reference: CVE-2026-27373

Security Weakness

This issue is a SQL Injection weakness caused by insufficient escaping of a user-supplied parameter and insufficient preparation of an existing SQL query in Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent versions ≤ 1.2.3. According to the published details, this allows authenticated attackers (Subscriber+) to append additional SQL into existing queries.

In practical terms, SQL Injection is a database-query manipulation problem. For business leaders, the important takeaway is that a plugin component intended to help store and manage form submissions can become a pathway to access information stored in the same WordPress database.

At the time of the referenced advisory, there is no known patch available. That elevates decision urgency because “wait for an update” may not be an acceptable strategy depending on your regulatory exposure and data sensitivity.

Technical or Business Impacts

The stated CVSS vector indicates a high confidentiality impact (C:H) with no declared integrity or availability impact (I:N/A:N). In business terms, this means the most credible near-term risk is data exposure, not website downtime or visible defacement.

Potential impacts include exposure of sensitive information stored in the WordPress database—such as customer contact details, form submission content, internal user information, or other data your site stores—depending on what is present in your environment. This can translate into compliance reporting obligations, contractual notification requirements, reputational harm, and increased sales friction if prospects lose trust.

Because the attacker must be authenticated, this is also a strong reminder that “low privilege” does not mean “low risk.” Subscriber accounts are common on marketing sites (newsletters, gated content, partner portals), and compromised credentials can turn routine user access into a meaningful data-leak event.

Mitigation guidance (given no known patch): review your risk tolerance and consider uninstalling the affected plugin and replacing it. If removal is not immediately possible, reduce exposure by limiting or disabling unnecessary Subscriber registrations, tightening account security (unique passwords and MFA where feasible), and monitoring for unusual authenticated activity while you plan a safer alternative.

Similar Attacks

SQL Injection is a long-standing and widely exploited category of vulnerability. Real-world incidents tied to SQL Injection have led to large-scale data exposure across industries.

Examples include the TalkTalk 2015 breach, the British Airways ticketing fraud scheme tied to SQL Injection (U.S. DOJ case), and the Heartland Payment Systems breach coverage, where SQL Injection was reported as a key factor.