| Plugin Name | WordPress Form Maker by 10Web |
|---|---|
| Type of Vulnerability | Cross Site Scripting |
| CVE Number | CVE-2026-1065 |
| Urgency | Medium |
| CVE Publish Date | 2026-02-08 |
| Source URL | CVE-2026-1065 |
Cross‑Site Scripting (CVE‑2026‑1065) in Form Maker by 10Web — What WordPress Site Owners Must Do Now
Unauthenticated stored XSS via SVG uploads in Form Maker (<=1.15.35) was published as CVE‑2026‑1065. This post explains the risk, how attackers can abuse SVG upload handling, how to detect exploitation, and a detailed mitigation and recovery checklist.
Why this vulnerability matters
Stored Cross‑Site Scripting (XSS) is a high‑impact client‑side vulnerability. In this case, unauthenticated attackers could upload crafted SVG files that persist on the site and execute JavaScript when rendered by visitors’ browsers. Because the vuln is unauthenticated, the attacker does not need a user account — only the ability to reach the vulnerable upload endpoint.
Potential consequences include:
- Theft of authenticated cookies and session tokens (leading to privilege escalation);
- Silent admin‑account takeover if administrators view infected pages;
- Persistent content injection (phishing, defacement, ad insertion);
- Drive‑by malware distribution to site visitors;
- Exfiltration of data accessible in a user’s browser (form entries, contact data);
- Reputational damage and SEO penalties.
