Plattform
wordpress
Komponente
form-maker
Behoben in
1.15.41
1.15.41
CVE-2026-4388 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Form Maker by 10Web plugin for WordPress. This vulnerability allows unauthenticated attackers to inject malicious JavaScript code through form submissions, which then executes when an administrator views the submission details. The vulnerability impacts versions of the plugin up to and including 1.15.40, but a fix is available in version 1.15.41.
An attacker can exploit this XSS vulnerability by crafting a malicious form submission containing JavaScript code within the Matrix field (Text Box input type). When an administrator views the submission details in the admin Submissions view, the injected JavaScript will execute in their browser. This could lead to various malicious outcomes, including session hijacking, defacement of the admin interface, redirection to phishing sites, or theft of sensitive information. The impact is particularly severe because it targets administrators, granting the attacker a high level of access and control within the WordPress environment.
This vulnerability was publicly disclosed on 2026-04-13. No public proof-of-concept (PoC) code has been released as of this writing, but the vulnerability's nature and ease of exploitation suggest a moderate risk of exploitation. It is not currently listed on the CISA KEV catalog.
Exploit-Status
EPSS
0.09% (26% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-4388 is to immediately upgrade the Form Maker by 10Web plugin to version 1.15.41 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious input in the Matrix field. Additionally, review all form submissions for suspicious content and disable the Matrix field if it is not essential. There are no specific Sigma or YARA patterns available at this time, but monitoring for unusual JavaScript execution within the admin area is recommended.
Aktualisieren Sie auf Version 1.15.41 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
It's a unique identifier for a security vulnerability in the 10Web Form Maker plugin.
It's a type of vulnerability that allows an attacker to inject malicious code into a website, which then executes in the browsers of other users.
If you can't update immediately, consider temporarily disabling the Submissions view or implementing a Content Security Policy (CSP).
Review form submissions for suspicious content and monitor your website's network traffic.
There are vulnerability scanners that can detect this vulnerability. You can also perform manual testing to verify the issue.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.