CVE-2026-4388
Received Received - Intake
Stored XSS in Form Maker by 10Web Plugin Allows Admin Hijack

Publication date: 2026-04-14

Last updated on: 2026-04-14

Assigner: Wordfence

Description
The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Matrix field (Text Box input type) in form submissions in all versions up to, and including, 1.15.40. This is due to insufficient input sanitization (`sanitize_text_field` strips tags but not quotes) and missing output escaping when rendering submission data in the admin Submissions view. This makes it possible for unauthenticated attackers to inject arbitrary JavaScript through a form submission that executes in the browser of an administrator who views the submission details.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-14
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-04-14
EPSS Evaluated
2026-06-14
NVD
CVE-2026-4388
EUVD
EUVD-2026-22199
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
10web form_maker to 1.15.40 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Form Maker by 10Web plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in its Matrix field (Text Box input type) within form submissions. This vulnerability exists in all versions up to and including 1.15.40. It arises because the plugin does not properly sanitize inputβ€”specifically, the sanitize_text_field function removes HTML tags but not quotesβ€”and it fails to escape output when displaying submission data in the admin Submissions view. As a result, an unauthenticated attacker can inject arbitrary JavaScript code through a form submission, which will execute in the browser of an administrator who views the submission details.

Impact Analysis

This vulnerability allows unauthenticated attackers to inject and execute arbitrary JavaScript code in the browser of an administrator viewing form submissions. This can lead to several impacts including theft of administrator session cookies, unauthorized actions performed with administrator privileges, defacement of the admin interface, or further compromise of the WordPress site.

Mitigation Strategies

The vulnerability exists in all versions of the Form Maker by 10Web plugin for WordPress up to and including 1.15.40. To mitigate this vulnerability, you should update the plugin to a version later than 1.15.40 where the issue is fixed.

Additionally, as a temporary measure, restrict access to the WordPress admin Submissions view to trusted users only, since the vulnerability allows unauthenticated attackers to inject JavaScript that executes in the browser of administrators viewing submissions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4388. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart