CVE-2026-4388 - Vulnerability Details

- Form Maker by 10Web <= 1.15.40 - Unauthenticated Stored Cross-Site Scripting via Matrix Field Text Box

Description

The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Matrix field (Text Box input type) in form submissions in all versions up to, and including, 1.15.40. This is due to insufficient input sanitization (`sanitize_text_field` strips tags but not quotes) and missing output escaping when rendering submission data in the admin Submissions view. This makes it possible for unauthenticated attackers to inject arbitrary JavaScript through a form submission that executes in the browser of an administrator who views the submission details.

Published: 2026-04-14

Score: 7.2 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Form Maker by 10Web plugin for WordPress contains a stored cross‑site scripting flaw. A Matrix field (Text Box input type) accepts content that is passed through sanitize_text_field, which removes tags but not inconsistent quotes, and the field data is rendered in the admin Submissions view without escaping. This allows an unauthenticated attacker to submit a form that contains malicious JavaScript, which will execute automatically in the browser of any administrator who later views the submission. The impact is remote script execution in an admin session, enabling credential theft, session hijacking and potential site defacement.

Affected Systems

The vulnerability affects all releases of the Form Maker by 10Web – Mobile‑Friendly Drag & Drop Contact Form Builder for WordPress up to and including version 1.15.40. WordPress sites that have not upgraded past this version are susceptible.

Risk and Exploitability

The flaw has a CVSS score of 7.2, indicating high severity. Because it does not require authentication to inject the payload, and any administrative viewer of a malicious submission will trigger execution, the risk is significant even though EPSS data is unavailable and it is not listed in CISA’s KEV catalog. The low barrier to exploitation means that attackers can readily take advantage of this weakness if the plugin remains outdated.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

10web

Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.15.40

No data.

Vendor Product Confidence Versions

10web

Form Maker By 10web – Mobile-friendly Drag & Drop Contact Form Builder

100%

Version	Status	Scheme	Platform
`[0,1.15.40]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to the latest version of Form Maker by 10Web available at the WordPress plugin repository.
After upgrading, verify that Matrix field submissions are correctly escaped when displayed in the Submissions view.
Restrict form submissions to trusted users or disable the Matrix field if it is not needed.
Manually review existing submissions for embedded scripts and delete any that appear malicious.

Generated by OpenCVE AI on April 14, 2026 at 03:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00092.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.37/admin/views/FormMakerSubmits.php#L166
https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.37/admin/views/FormMakerSubmits.php#L169
https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.37/frontend/models/form_maker.php#L2352
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3501693%40form-maker%2Ftrunk&old=3492680%40form-maker%2Ftrunk&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/197449f5-9304-49df-9261-a354145fc00e?source=cve

History

Tue, 14 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		10web 10web form Maker By 10web – Mobile-friendly Drag & Drop Contact Form Builder Wordpress Wordpress wordpress
Vendors & Products		10web 10web form Maker By 10web – Mobile-friendly Drag & Drop Contact Form Builder Wordpress Wordpress wordpress

Tue, 14 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 14 Apr 2026 02:45:00 +0000

Type	Values Removed	Values Added
Description		The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Matrix field (Text Box input type) in form submissions in all versions up to, and including, 1.15.40. This is due to insufficient input sanitization (`sanitize_text_field` strips tags but not quotes) and missing output escaping when rendering submission data in the admin Submissions view. This makes it possible for unauthenticated attackers to inject arbitrary JavaScript through a form submission that executes in the browser of an administrator who views the submission details.
Title		Form Maker by 10Web <= 1.15.40 - Unauthenticated Stored Cross-Site Scripting via Matrix Field Text Box
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.37/admin/views/FormMakerSubmits.php#L166 https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.37/admin/views/FormMakerSubmits.php#L169 https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.37/frontend/models/form_maker.php#L2352 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3501693%40form-maker%2Ftrunk&old=3492680%40form-maker%2Ftrunk&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/197449f5-9304-49df-9261-a354145fc00e?source=cve
Metrics		cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

10web Form Maker By 10web – Mobile-friendly Drag & Drop Contact Form Builder

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-04-14T02:25:48.339Z

Updated: 2026-04-14T14:04:52.784Z

Reserved: 2026-03-18T14:09:39.621Z

Link: CVE-2026-4388

Vulnrichment

Updated: 2026-04-14T14:04:09.931Z

NVD

Status : Deferred

Published: 2026-04-14T03:16:08.720

Modified: 2026-04-22T20:23:16.350

Link: CVE-2026-4388

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-14T16:30:58Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object