CVE-2026-1058
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2Description
The Form Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via hidden field values in all versions up to, and including, 1.15.35. This is due to insufficient output escaping when displaying hidden field values in the admin submissions list. The plugin uses html_entity_decode() on user-supplied hidden field values without subsequent escaping before output, which converts HTML entity-encoded payloads back into executable JavaScript. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in the admin submissions view that will execute whenever an administrator accesses the submissions list.
Analysis
Stored XSS in WordPress Form Maker plugin (versions up to 1.15.35) allows unauthenticated attackers to inject malicious scripts through hidden form field values that execute when administrators view the submissions list. The vulnerability stems from improper output escaping after HTML entity decoding of user-supplied input. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all WordPress instances running Form Maker plugin and document current versions. Within 7 days: Disable the Form Maker plugin or restrict admin access to submission lists; implement Web Application Firewall rules to block script injection attempts in form data. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today