{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1065", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-16T19:16:43.079Z", "datePublished": "2026-02-03T06:38:04.369Z", "dateUpdated": "2026-04-08T17:03:54.659Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:03:54.659Z"}, "affected": [{"vendor": "10web", "product": "Form Maker by 10Web \u2013 Mobile-Friendly Drag & Drop Contact Form Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.15.35", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.15.35. This is due to the plugin's default file upload allowlist including SVG files combined with weak substring-based extension validation. This makes it possible for unauthenticated attackers to upload malicious SVG files containing JavaScript code that will execute when viewed by administrators or site visitors via file upload fields in forms granted they can submit forms."}], "title": "Form Maker by 10Web <= 1.15.35 - Unauthenticated Stored Cross-Site Scripting via SVG file", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8230d5f8-01d9-465a-8a43-e9852248bb3d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.34/js/add_field.js#L2364"}, {"url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.34/frontend/models/form_maker.php#L1744"}, {"url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.34/frontend/models/form_maker.php#L1855"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3447011%40form-maker%2Ftrunk&old=3440395%40form-maker%2Ftrunk&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "cweId": "CWE-434", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Supakiad S."}], "timeline": [{"time": "2026-01-16T19:31:56.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-02T18:12:37.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-03T15:29:03.731766Z", "id": "CVE-2026-1065", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T15:30:36.400Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1065", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-03T15:29:03.731766Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T15:29:04.768Z"}}], "cna": {"title": "Form Maker by 10Web <= 1.15.35 - Unauthenticated Stored Cross-Site Scripting via SVG file", "credits": [{"lang": "en", "type": "finder", "value": "Supakiad S."}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "10web", "product": "Form Maker by 10Web \u2013 Mobile-Friendly Drag & Drop Contact Form Builder", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.15.35"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-16T19:31:56.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-02T18:12:37.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8230d5f8-01d9-465a-8a43-e9852248bb3d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.34/js/add_field.js#L2364"}, {"url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.34/frontend/models/form_maker.php#L1744"}, {"url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.34/frontend/models/form_maker.php#L1855"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3447011%40form-maker%2Ftrunk&old=3440395%40form-maker%2Ftrunk&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.15.35. This is due to the plugin's default file upload allowlist including SVG files combined with weak substring-based extension validation. This makes it possible for unauthenticated attackers to upload malicious SVG files containing JavaScript code that will execute when viewed by administrators or site visitors via file upload fields in forms granted they can submit forms."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:03:54.659Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1065", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:03:54.659Z", "dateReserved": "2026-01-16T19:16:43.079Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-03T06:38:04.369Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.15.35. This is due to the plugin's default file upload allowlist including SVG files combined with weak substring-based extension validation. This makes it possible for unauthenticated attackers to upload malicious SVG files containing JavaScript code that will execute when viewed by administrators or site visitors via file upload fields in forms granted they can submit forms."}, {"lang": "es", "value": "El plugin Form Maker by 10Web para WordPress es vulnerable a cross-site scripting almacenado en todas las versiones hasta e incluyendo la 1.15.35. Esto se debe a que la lista de permitidos predeterminada de carga de archivos del plugin incluye archivos SVG, combinado con una validaci\u00f3n de extensi\u00f3n d\u00e9bil basada en subcadenas. Esto hace posible que atacantes no autenticados carguen archivos SVG maliciosos que contienen c\u00f3digo JavaScript que se ejecutar\u00e1 cuando sea visto por administradores o visitantes del sitio a trav\u00e9s de campos de carga de archivos en formularios, siempre que puedan enviar formularios."}], "id": "CVE-2026-1065", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-03T07:16:11.893", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.34/frontend/models/form_maker.php#L1744"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.34/frontend/models/form_maker.php#L1855"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.34/js/add_field.js#L2364"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3447011%40form-maker%2Ftrunk&old=3440395%40form-maker%2Ftrunk&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8230d5f8-01d9-465a-8a43-e9852248bb3d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T18:54:28.798352+00:00", "value": {"mitigation_remediation": ["Update the Form Maker plugin to the latest version (\u2265 1.15.36) to remove the vulnerable upload logic.", "Restrict the file upload allowlist to exclude SVG files or enforce strict MIME type validation so that only allowed non-executable types are accepted.", "Sanitize or strip executable content from any uploaded files, for example by removing <script> tags from SVG files or using a dedicated library to clean SVG uploads."], "summary": {"action": "Patch immediately", "impact": "Stored cross-site scripting via unauthenticated SVG upload"}, "threat_synthesis": {"affected_systems": "Vulnerable versions are all 10Web Form Maker releases up to and including 1.15.35 for WordPress. The product is a mobile-friendly drag-and-drop contact form builder available as a WordPress plugin. The issue resides in the file upload logic within the form handling code of the plugin.", "description_and_impact": "An unauthenticated attacker can upload a malicious SVG file because the plugin allows SVG files in its default allowlist and performs only weak substring checks on the file extension. The uploaded SVG can contain JavaScript that runs when the file is rendered by a browser, affecting anyone who views the file, including administrators and site visitors who submit the form.", "risk_and_exploitability": "The CVSS score of 7.2 indicates a high likelihood of impactful exploitation. EPSS is less than 1%, suggesting low overall exploitation probability at present, and the vulnerability is not currently listed in CISA's KEV catalog. Exploitation requires no special privileges; an attacker simply submits a form with a crafted SVG file. If the form is accessible to site visitors, the malicious code runs in their browsers and could lead to data theft or session hijacking, while administrators viewing the uploaded file may suffer credential compromise or site control."}}}}, "created": "2026-02-04T12:15:00.656215+00:00", "updated": "2026-04-15T19:00:12.289140+00:00", "vendors": ["10web", "10web$PRODUCT$form_maker", "wordpress", "wordpress$PRODUCT$wordpress"]}