CVE-2026-1065

Published: Feb 3, 2026Modified: Feb 3, 2026

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Exploitability: 3.9 / Impact: 2.7

Source: security@wordfence.com

Description

The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.15.35. This is due to the plugin's default file upload allowlist including SVG files combined with weak substring-based extension validation. This makes it possible for unauthenticated attackers to upload malicious SVG files containing JavaScript code that will execute when viewed by administrators or site visitors via file upload fields in forms granted they can submit forms.

Related CWEs

CWE-434

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (5)

https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.34/frontend/models/form_maker.php#L1744

Source: security@wordfence.com

https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.34/frontend/models/form_maker.php#L1855

Source: security@wordfence.com

https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.34/js/add_field.js#L2364

Source: security@wordfence.com

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3447011%40form-maker%2Ftrunk&old=3440395%40form-maker%2Ftrunk&sfp_email=&sfph_mail=

Source: security@wordfence.com

https://www.wordfence.com/threat-intel/vulnerabilities/id/8230d5f8-01d9-465a-8a43-e9852248bb3d?source=cve

Source: security@wordfence.com

Timeline

No history available yet.