CVE-2026-4388
Form Maker by 10Web <= 1.15.40 - Unauthenticated Stored Cross-Site Scripting via Matrix Field Text Box
The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Matrix field (Text Box input type) in form submissions in all versions up to, and including, 1.15.40. This is due to insufficient input sanitization (`sanitize_text_field` strips tags but not quotes) and missing output escaping when rendering submission data in the admin Submissions view. This makes it possible for unauthenticated attackers to inject arbitrary JavaScript through a form submission that executes in the browser of an administrator who views the submission details.
| CWE | CWE-79 |
| Vendor | 10web |
| Product | form maker by 10web – mobile-friendly drag & drop contact form builder |
| Published | Apr 14, 2026 |
| Last Updated | Apr 14, 2026 |
Get instant alerts for 10web form maker by 10web – mobile-friendly drag & drop contact form builder
Be the first to know when new high vulnerabilities affecting 10web form maker by 10web – mobile-friendly drag & drop contact form builder are published — delivered to Slack, Telegram or Discord.
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N