{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4388", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-18T14:09:39.621Z", "datePublished": "2026-04-14T02:25:48.339Z", "dateUpdated": "2026-04-14T14:04:52.784Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-14T02:25:48.339Z"}, "affected": [{"vendor": "10web", "product": "Form Maker by 10Web \u2013 Mobile-Friendly Drag & Drop Contact Form Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.15.40", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Matrix field (Text Box input type) in form submissions in all versions up to, and including, 1.15.40. This is due to insufficient input sanitization (`sanitize_text_field` strips tags but not quotes) and missing output escaping when rendering submission data in the admin Submissions view. This makes it possible for unauthenticated attackers to inject arbitrary JavaScript through a form submission that executes in the browser of an administrator who views the submission details."}], "title": "Form Maker by 10Web <= 1.15.40 - Unauthenticated Stored Cross-Site Scripting via Matrix Field Text Box", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/197449f5-9304-49df-9261-a354145fc00e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.37/admin/views/FormMakerSubmits.php#L169"}, {"url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.37/admin/views/FormMakerSubmits.php#L166"}, {"url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.37/frontend/models/form_maker.php#L2352"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3501693%40form-maker%2Ftrunk&old=3492680%40form-maker%2Ftrunk&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Naoya Takahashi"}], "timeline": [{"time": "2026-03-18T14:25:04.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-13T13:52:02.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4388", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T14:02:24.488962Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:04:52.784Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4388", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T14:02:24.488962Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:04:09.931Z"}}], "cna": {"title": "Form Maker by 10Web <= 1.15.40 - Unauthenticated Stored Cross-Site Scripting via Matrix Field Text Box", "credits": [{"lang": "en", "type": "finder", "value": "Naoya Takahashi"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "10web", "product": "Form Maker by 10Web \u2013 Mobile-Friendly Drag & Drop Contact Form Builder", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.15.40"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-18T14:25:04.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-13T13:52:02.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/197449f5-9304-49df-9261-a354145fc00e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.37/admin/views/FormMakerSubmits.php#L169"}, {"url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.37/admin/views/FormMakerSubmits.php#L166"}, {"url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.37/frontend/models/form_maker.php#L2352"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3501693%40form-maker%2Ftrunk&old=3492680%40form-maker%2Ftrunk&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Matrix field (Text Box input type) in form submissions in all versions up to, and including, 1.15.40. This is due to insufficient input sanitization (`sanitize_text_field` strips tags but not quotes) and missing output escaping when rendering submission data in the admin Submissions view. This makes it possible for unauthenticated attackers to inject arbitrary JavaScript through a form submission that executes in the browser of an administrator who views the submission details."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-14T02:25:48.339Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4388", "state": "PUBLISHED", "dateUpdated": "2026-04-14T14:04:52.784Z", "dateReserved": "2026-03-18T14:09:39.621Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-14T02:25:48.339Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Matrix field (Text Box input type) in form submissions in all versions up to, and including, 1.15.40. This is due to insufficient input sanitization (`sanitize_text_field` strips tags but not quotes) and missing output escaping when rendering submission data in the admin Submissions view. This makes it possible for unauthenticated attackers to inject arbitrary JavaScript through a form submission that executes in the browser of an administrator who views the submission details."}], "id": "CVE-2026-4388", "lastModified": "2026-04-22T20:23:16.350", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-14T03:16:08.720", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.37/admin/views/FormMakerSubmits.php#L166"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.37/admin/views/FormMakerSubmits.php#L169"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.37/frontend/models/form_maker.php#L2352"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3501693%40form-maker%2Ftrunk&old=3492680%40form-maker%2Ftrunk&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/197449f5-9304-49df-9261-a354145fc00e?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.15.40]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Form Maker by 10Web \u2013 Mobile-Friendly Drag & Drop Contact Form Builder", "source": "cna", "vendor": "10web"}, "product": "form_maker_by_10web_\u2013_mobile-friendly_drag_&_drop_contact_form_builder", "vendor": "10web"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-14T03:50:39.844085+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest version of Form Maker by\u00a010Web available at the WordPress plugin repository.", "After upgrading, verify that Matrix field submissions are correctly escaped when displayed in the Submissions view.", "Restrict form submissions to trusted users or disable the Matrix field if it is not needed.", "Manually review existing submissions for embedded scripts and delete any that appear malicious."], "summary": {"action": "Patch Now", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all releases of the Form Maker by 10Web \u2013 Mobile\u2011Friendly Drag & Drop Contact Form Builder for WordPress up to and including version\u00a01.15.40. WordPress sites that have not upgraded past this version are susceptible.", "description_and_impact": "The Form Maker by 10Web plugin for WordPress contains a stored cross\u2011site scripting flaw. A Matrix field (Text Box input type) accepts content that is passed through sanitize_text_field, which removes tags but not inconsistent quotes, and the field data is rendered in the admin Submissions view without escaping. This allows an unauthenticated attacker to submit a form that contains malicious JavaScript, which will execute automatically in the browser of any administrator who later views the submission. The impact is remote script execution in an admin session, enabling credential theft, session hijacking and potential site defacement.", "risk_and_exploitability": "The flaw has a CVSS score of\u00a07.2, indicating high severity. Because it does not require authentication to inject the payload, and any administrative viewer of a malicious submission will trigger execution, the risk is significant even though EPSS data is unavailable and it is not listed in CISA\u2019s KEV catalog. The low barrier to exploitation means that attackers can readily take advantage of this weakness if the plugin remains outdated."}}}}, "created": "2026-04-14T16:16:01.946106+00:00", "updated": "2026-04-14T16:30:58.825869+00:00", "vendors": ["10web", "10web$PRODUCT$form_maker_by_10web_\u2013_mobile-friendly_drag_&_drop_contact_form_builder", "wordpress", "wordpress$PRODUCT$wordpress"]}