Platform
wordpress
Component
form-maker
Fixed in
1.15.41
1.15.41
CVE-2026-4388 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Form Maker by 10Web plugin for WordPress. This vulnerability allows unauthenticated attackers to inject malicious JavaScript code through form submissions, which then executes when an administrator views the submission details. The vulnerability impacts versions of the plugin up to and including 1.15.40, but a fix is available in version 1.15.41.
CVE-2026-4388 in the 10Web Form Maker plugin for WordPress presents a significant security risk. It allows unauthenticated attackers to inject arbitrary JavaScript code through a form submission, specifically within the 'Matrix' field (Text Box input type). This exploitation leverages insufficient input sanitization (the use of sanitizetextfield doesn't strip quotes) and missing output escaping when rendering submission data in the admin Submissions view. A malicious actor could use this injected code to steal session cookies, redirect administrators to malicious websites, or modify page content, compromising the website's integrity and confidentiality.
Exploitation of this vulnerability requires an attacker to submit a form containing malicious JavaScript code in the 'Matrix' field. Since the vulnerability doesn't require authentication, any user can potentially exploit it. The injected code will execute in the context of the administrator's browser when they access the Submissions view. The complexity of exploitation is relatively low, as advanced technical skills are not required to craft a malicious form. The impact can vary depending on the injected code, but in the worst-case scenario, it could result in complete website control.
Exploit Status
EPSS
0.09% (26% percentile)
CISA SSVC
CVSS Vector
To mitigate this risk, it is highly recommended to update the Form Maker plugin to version 1.15.41 or later. This version includes the fix by implementing proper input sanitization and output escaping. Additionally, review existing form submissions for suspicious content. As a preventative measure, consider implementing a Content Security Policy (CSP) to restrict script execution from untrusted sources. Finally, ensure all users have strong passwords and enable two-factor authentication to protect administrator accounts.
Update to version 1.15.41, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
It's a unique identifier for a security vulnerability in the 10Web Form Maker plugin.
It's a type of vulnerability that allows an attacker to inject malicious code into a website, which then executes in the browsers of other users.
If you can't update immediately, consider temporarily disabling the Submissions view or implementing a Content Security Policy (CSP).
Review form submissions for suspicious content and monitor your website's network traffic.
There are vulnerability scanners that can detect this vulnerability. You can also perform manual testing to verify the issue.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.