Stored Cross-Site Scripting Vulnerability in Form Maker Plugin by 10Web
CVE-2026-4388

7.2HIGH

Key Information:

Vendor: WordPress
Status: Form Maker By 10web – Mobile-friendly Drag & Drop Contact Form Builder
Vendor: CVE Published:; 14 April 2026

What is CVE-2026-4388?

The Form Maker plugin by 10Web is prone to a Stored Cross-Site Scripting vulnerability due to inadequate input sanitization in the Matrix field. This flaw allows an attacker to inject malicious JavaScript code through form submissions, which can then be executed in the browser of an administrator who accesses the submission details. The vulnerability is present in all versions through 1.15.40, primarily resulting from the failure to effectively sanitize user inputs and escape outputs when displaying submission data in the admin interface.

Affected Version(s)

Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder 0 <= 1.15.40

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/form-maker/tag...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2026
Vulnerability Reserved
Mar 18, 2026

Credit

Naoya Takahashi

CVE-2026-4388 Data

JSON