Primary

Context

Form Maker by 10Web Stored Cross-Site Scripting Vulnerability via SVG File Upload

Vulnerability

Patched

A stored cross-site scripting vulnerability has been identified in the Form Maker by 10Web plugin for WordPress, affecting all versions through 1.15.35. The issue arises from the plugin's file upload allowlist, which improperly includes SVG files and applies weak substring-based extension validation. This flaw enables unauthenticated attackers to upload malicious SVG files containing JavaScript that executes when the files are viewed by administrators or site visitors, provided they can submit forms.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where uploaded SVG files containing malicious JavaScript are executed when accessed by users with the appropriate permissions.

Remediation

Users are advised to update the Form Maker by 10Web plugin to version 1.15.36 or a newer patched version.

Added: Feb 3, 2026, 7:29 AM

Updated: Feb 3, 2026, 7:29 AM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

1.7

exploitability

6.8

remediation

7.7

relevance

2.6

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

1.7

exploitability

6.8

remediation

7.7

relevance

2.6

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Form Maker by 10Web Stored Cross-Site Scripting Vulnerability via SVG File Upload

Vulnerability

Impact

Remediation

Affected Products

10Web Form Maker

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating