Form Maker by 10Web < 1.15.36 – Unauthenticated Stored Cross-Site Scripting via SVG file | CVE 2026-1065 | Plugin Vulnerabilities

Description

The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.15.35. This is due to the plugin's default file upload allowlist including SVG files combined with weak substring-based extension validation. This makes it possible for unauthenticated attackers to upload malicious SVG files containing JavaScript code that will execute when viewed by administrators or site visitors via file upload fields in forms granted they can submit forms.

Affects Plugins

Fixed in 1.15.36

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/8230d5f8-01d9-465a-8a43-e9852248bb3d

Miscellaneous

Original Researcher

Supakiad S. (m3ez)

Verified

No

WPVDB ID

06c93e2b-2fb9-4ceb-bf05-2e2abf693f8c

Timeline

Publicly Published

2026-02-02 (about 4 months ago)

Added

2026-02-02 (about 4 months ago)

Last Updated

2026-02-03 (about 4 months ago)

Other

Published

Title

Published

2024-10-25

Title

Multi Purpose Mail Form <= 1.0.2 - Unauthenticated Arbitrary File Upload

Published

2014-08-01

Title

Foxypress 0.4.1.1-0.4.2.1 - Arbitrary File Upload

Published

2025-06-05

Title

Store Locator WordPress < 1.5.3 - Authenticated (Admin+) Arbitrary File Upload

Published

2024-12-13

Title

Crafthemes Demo Import <= 3.3 - Authenticated (Admin+) Arbitrary File Upload in process_uploaded_files

Published

2025-12-05

Title

Starter Templates < 4.4.42 - Author+ Arbitrary File Upload via WXR Upload Bypass