Stored Cross-Site Scripting in Form Maker Plugin for WordPress
CVE-2026-1058

7.1HIGH

Key Information:

Vendor: WordPress
Status: Form Maker By 10web – Mobile-friendly Drag & Drop Contact Form Builder
Vendor: CVE Published:; 3 February 2026

What is CVE-2026-1058?

The Form Maker plugin for WordPress is susceptible to Stored Cross-Site Scripting due to improper handling of hidden field values. This vulnerability arises because the plugin fails to adequately escape output when presenting user-supplied data in the admin submissions list. By leveraging the html_entity_decode() function without subsequent escaping, attackers can inject malicious scripts into seemingly benign hidden fields. Consequently, when an administrator views the submissions, the injected scripts can execute, potentially compromising the security of the site and impacting the integrity of the admin panel.

Affected Version(s)

Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder 0 <= 1.15.35

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/form-maker/tag...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 3, 2026
Vulnerability Reserved
Jan 16, 2026

Credit

Supakiad S.

CVE-2026-1058 Data

JSON