EUVD-2026-22199
GHSA-73v2-xp42-4vcq
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Matrix field (Text Box input type) in form submissions in all versions up to, and including, 1.15.40. This is due to insufficient input sanitization (sanitize_text_field strips tags but not quotes) and missing output escaping when rendering submission data in the admin Submissions view. This makes it possible for unauthenticated attackers to inject arbitrary JavaScript through a form submission that executes in the browser of an administrator who views the submission details.
AnalysisAI
Stored Cross-Site Scripting in Form Maker by 10Web WordPress plugin (versions ≤1.15.40) allows unauthenticated attackers to inject malicious JavaScript through Matrix field submissions that executes when administrators view submission details. The vulnerability stems from inadequate sanitization (sanitize_text_field removes tags but preserves quotes) and missing output escaping in the admin Submissions view. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Disable Form Maker by 10Web plugin via wp-admin or command line until patched; review recent form submissions for suspicious content, particularly Matrix field entries. Within 7 days: Monitor vendor advisory channels (10Web support and plugin repository) for patch availability; test patch in staging environment before production deployment. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today