WordPress Plugin Vulnerabilities

Form Maker by 10Web < 1.15.41 - Unauthenticated Stored Cross-Site Scripting via Matrix Field Text Box

Description

The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Matrix field (Text Box input type) in form submissions in all versions up to, and including, 1.15.40. This is due to insufficient input sanitization (`sanitize_text_field` strips tags but not quotes) and missing output escaping when rendering submission data in the admin Submissions view. This makes it possible for unauthenticated attackers to inject arbitrary JavaScript through a form submission that executes in the browser of an administrator who views the submission details.

Affects Plugins

Plugin icon
form-maker
Fixed in 1.15.41

References

CVE
CVE-2026-4388
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/197449f5-9304-49df-9261-a354145fc00e

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.2 (high)

Miscellaneous

Original Researcher
Naoya Takahashi (nakko)
Verified
No
WPVDB ID
83f7f7c7-cb6d-40a3-8d27-c6bc0c945d39

Timeline

Publicly Published
2026-04-13 (about 2 months ago)
Added
2026-04-13 (about 2 months ago)
Last Updated
2026-04-14 (about 2 months ago)

Other

Published
Title
Published
2025-07-14
Title
Fade Slider <= 2.6 - Reflected Cross-Site Scripting
Published
2024-05-03
Title
Folders Pro < 3.0.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting via User First Name and Last Name
Published
2026-03-10
Title
weForms < 1.6.28 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Hidden Field Value via REST API
Published
2024-05-01
Title
Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder < 2.5.4 - Contrib+ DOM-Based Cross-Site Scripting
Published
2024-06-05
Title
Themesflat Addons For Elementor < 2.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Widget Tags