CVE-2026-1065

7.2 HIGH
Cross-Site Scripting

📋 TL;DR

The Form Maker by 10Web WordPress plugin allows unauthenticated attackers to upload malicious SVG files containing JavaScript code due to weak file extension validation. When these files are viewed by administrators or site visitors, the JavaScript executes, enabling stored cross-site scripting attacks. All WordPress sites using Form Maker plugin versions up to 1.15.35 are affected.

💻 Affected Systems

Products:
  • Form Maker by 10Web WordPress Plugin
Versions: All versions up to and including 1.15.35
Operating Systems: All operating systems running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in default configuration when file upload fields are enabled in forms.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, take over WordPress admin accounts, deface websites, or redirect visitors to malicious sites.

🟠

Likely Case

Attackers inject malicious JavaScript that steals user session data or performs actions on behalf of authenticated users.

🟢

If Mitigated

With proper Content Security Policy and file upload restrictions, impact is limited to potential data leakage from the specific vulnerable form.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only the ability to submit forms with file upload fields and knowledge of SVG XSS payloads.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.15.36 and later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3447011%40form-maker%2Ftrunk&old=3440395%40form-maker%2Ftrunk&sfp_email=&sfph_mail=

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Form Maker by 10Web' and click 'Update Now'. 4. Verify version is 1.15.36 or higher.

🔧 Temporary Workarounds

Disable SVG file uploads

all

Modify plugin code to remove SVG from allowed file types

Edit wp-content/plugins/form-maker/frontend/models/form_maker.php and remove 'svg' from allowed file extensions

Disable file upload fields

all

Remove or disable file upload fields from all forms

🧯 If You Can't Patch

  • Implement Content Security Policy (CSP) headers to block inline script execution
  • Use web application firewall (WAF) rules to block SVG file uploads containing JavaScript

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for Form Maker version. If version is 1.15.35 or lower, you are vulnerable.

Check Version:

wp plugin list --name='Form Maker by 10Web' --field=version

Verify Fix Applied:

After updating, verify Form Maker version shows 1.15.36 or higher in WordPress plugins list.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SVG file uploads via form submissions
  • Multiple failed upload attempts with different file extensions

Network Indicators:

  • POST requests to /wp-admin/admin-ajax.php with file uploads containing SVG data
  • Unusual outbound connections after SVG file access

SIEM Query:

source="wordpress" AND (uri_path="/wp-admin/admin-ajax.php" AND method="POST" AND file_extension="svg")

📊 Metadata

CVE ID: CVE-2026-1065
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
CWE: CWE-434
Published: February 3, 2026
Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share This