Stored Cross-Site Scripting Vulnerability in Form Maker Plugin for WordPress

CVE-2026-1065

What is CVE-2026-1065?

The Form Maker by 10Web plugin for WordPress allows unauthenticated attackers to exploit a stored cross-site scripting vulnerability present in all versions up to 1.15.35. The issue arises from the plugin's inadequate validation of uploaded file types, specifically the inclusion of SVG files in its default file upload allowlist, combined with a weak method of validating file extensions. This weak validation permits the uploading of harmful SVG files containing JavaScript, which can execute upon being accessed by administrators or users. As a result, attackers can leverage this vulnerability to inject malicious scripts into forms, posing a significant risk to site security.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References