10Web Form Maker
Moderate fix1 remedy
cpe:2.3:a:10web:form_maker:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 1.15.40
Form Maker by 10Web Stored Cross-Site Scripting Vulnerability
Vulnerability
Patched
A stored cross-site scripting vulnerability has been identified in the Form Maker by 10Web plugin for WordPress, affecting all versions through 1.15.40. The issue arises in the Matrix field (Text Box input type) of form submissions, where insufficient input sanitization allows unauthenticated attackers to inject arbitrary JavaScript. This injected script executes in the browser of an administrator viewing the submission details, due to missing output escaping in the admin Submissions view.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the submissions, potentially leading to session hijacking or other malicious actions.
Reproduction
To reproduce this vulnerability, submit a form using the Matrix field with a JavaScript payload. Once submitted, an administrator can view the injection in the Submissions details, where the script will execute in their browser.
Remediation
Users are advised to update the Form Maker by 10Web plugin to version 1.15.41 or later.
Added: Apr 14, 2026, 3:27 AM
Updated: Apr 14, 2026, 3:27 AM
Vulnerability Rating
Custom Algorithm
spread
5.2impact
5.4exploitability
7.6remediation
7.7relevance
5.9threat
4.8urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.