What the vulnerability does
01Description
The Form Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via hidden field values in all versions up to, and including, 1.15.35. This is due to insufficient output escaping when displaying hidden field values in the admin submissions list. The plugin uses html_entity_decode() on user-supplied hidden field values without subsequent escaping before output, which converts HTML entity-encoded payloads back into executable JavaScript. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in the admin submissions view that will execute whenever an administrator accesses the submissions list.
Explanation of Vulnerability in Simple Terms
02Summary
Form Maker by 10Web contains a cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts into web pages viewed by site visitors. The vulnerability affects all versions up to 1.15.35. An attacker can craft a malicious link or form submission that executes JavaScript in a victim's browser, potentially stealing session tokens, redirecting users, or defacing content. Site administrators should update to a version newer than 1.15.35 immediately.
What an attacker can do
03Attacker Capabilities
Inject and execute malicious JavaScript in visitors' browsers via crafted form submissions or links.
Potential impact on your site
04Site Impact
Visitors' browsers can be compromised; session tokens, credentials, or personal data may be stolen; site reputation damaged.
Conditions required to exploit
05Prerequisites
Victim must click a malicious link or visit a page containing the injected payload; no authentication required.
Key dates
06Disclosure timeline
February 3, 2026
CVE published
April 8, 2026
Record updated