CVE-2026-1065
Stored XSS in Form Maker Plugin via Malicious SVG Upload
Publication date: 2026-02-03
Last updated on: 2026-02-03
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| 10web | form_maker | to 1.15.35 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
The vulnerability in the Form Maker by 10Web WordPress plugin is a Stored Cross-Site Scripting (XSS) issue affecting all versions up to and including 1.15.35. It arises because the plugin's default file upload allowlist includes SVG files, and the extension validation is weak, relying on substring checks. This allows unauthenticated attackers to upload malicious SVG files containing JavaScript code. When these files are viewed by administrators or site visitors through form file upload fields, the embedded JavaScript executes, potentially compromising the site. [3]
How can this vulnerability impact me? :
This vulnerability can allow unauthenticated attackers to execute arbitrary JavaScript code in the context of the affected website. This can lead to theft of sensitive information, session hijacking, defacement, or other malicious actions performed on behalf of administrators or site visitors. Since the attack vector involves uploading malicious SVG files, attackers can bypass normal file upload restrictions and compromise the site without authentication. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Form Maker by 10Web WordPress plugin is installed and running a vulnerable version (up to and including 1.15.35). Additionally, detection can involve scanning for uploaded SVG files in the form upload directories that may contain embedded JavaScript code. Since the vulnerability involves unauthenticated attackers uploading malicious SVG files, monitoring file upload fields in forms for SVG files and inspecting their content for JavaScript payloads is recommended. Specific commands are not provided in the resources, but general approaches include using file system search commands to find SVG files and inspecting them, e.g., using 'find' and 'grep' on Linux systems: - `find /path/to/wordpress/wp-content/uploads/ -name '*.svg' -exec grep -l '<script' {} +` This command searches for SVG files containing '<script' tags, which may indicate malicious JavaScript. Also, checking the plugin version can be done via WP-CLI: - `wp plugin get form-maker --field=version` If the version is 1.15.35 or lower, the site is vulnerable. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Form Maker by 10Web plugin to a version higher than 1.15.35 where the vulnerability is fixed. If an update is not immediately possible, restrict or disable file uploads of SVG files via the plugin's settings or by applying server-side restrictions to block SVG uploads. Additionally, implement input validation and sanitization on file uploads to prevent malicious SVG files containing JavaScript from being accepted. Monitoring and removing any suspicious SVG files already uploaded is also recommended. Limiting permissions so that only authenticated and authorized users can upload files can reduce risk. Finally, consider applying Web Application Firewall (WAF) rules to block malicious payloads targeting this vulnerability. [1, 2]