Description
The Form Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via hidden field values in all versions up to, and including, 1.15.35. This is due to insufficient output escaping when displaying hidden field values in the admin submissions list. The plugin uses html_entity_decode() on user-supplied hidden field values without subsequent escaping before output, which converts HTML entity-encoded payloads back into executable JavaScript. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in the admin submissions view that will execute whenever an administrator accesses the submissions list.
Published: 2026-02-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored cross-site scripting
Action: Immediate Patch
AI Analysis

Impact

The Form Maker plugin for WordPress is vulnerable to stored cross-site scripting via hidden field values. Because the plugin applies html_entity_decode() to user-supplied hidden fields without escaping the result, an attacker can inject JavaScript that will be executed whenever an administrator views the submissions list. This leads to arbitrary code execution in the context of the admin user, allowing credential theft, defacement, data exfiltration and other malicious actions.

Affected Systems

All versions of the 10Web Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin up to and including 1.15.35 are affected. The plugin is a WordPress add‑on that is publicly available on the WordPress plugin repository.

Risk and Exploitability

The vulnerability scores a CVSS of 7.1 and an EPSS of <1 %. It is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers can exploit it by submitting a form with a malicious payload in a hidden field, a task that does not require authentication. When an admin later views that submission, the injected script runs with the admin’s privileges. The low EPSS indicates that, so far, no widespread exploitation has been observed, but the impact is high if utilized.

Generated by OpenCVE AI on April 15, 2026 at 21:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Form Maker plugin to version 1.15.36 or later, which removes the vulnerable code path.
  • Until the patch is applied, disable the Form Maker plugin or delete the affected form(s) to eliminate the attack surface.
  • Add server‑side validation that sanitizes and escapes hidden field values before storing or rendering them, for example by using esc_html() on all form inputs.

Generated by OpenCVE AI on April 15, 2026 at 21:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared 10web
10web form Maker
Wordpress
Wordpress wordpress
Vendors & Products 10web
10web form Maker
Wordpress
Wordpress wordpress

Tue, 03 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Feb 2026 13:15:00 +0000

Type Values Removed Values Added
Description The Form Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via hidden field values in all versions up to, and including, 1.15.35. This is due to insufficient output escaping when displaying hidden field values in the admin submissions list. The plugin uses html_entity_decode() on user-supplied hidden field values without subsequent escaping before output, which converts HTML entity-encoded payloads back into executable JavaScript. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in the admin submissions view that will execute whenever an administrator accesses the submissions list.
Title Form Maker by 10Web <= 1.15.35 - Unauthenticated Stored Cross-Site Scripting via Hidden Field
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

10web Form Maker
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:28:49.695Z

Reserved: 2026-01-16T18:20:44.141Z

Link: CVE-2026-1058

cve-icon Vulnrichment

Updated: 2026-02-03T15:26:00.302Z

cve-icon NVD

Status : Deferred

Published: 2026-02-03T07:16:11.690

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1058

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T21:30:13Z

Weaknesses