Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.2
Old Form Maker plugin for WordPress lets attackers inject code
CVE-2026-4388
Summary
The Old Form Maker plugin for WordPress can allow attackers to inject malicious code into forms submitted to your website. This could allow them to take control of your site if an administrator views the form submission. Update the plugin to the latest version, which fixes this issue, to protect your site.
Original title
The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Matrix field (Text Box input type) in form submissions in all versions up to, and including, 1.15.4...
Original description
The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Matrix field (Text Box input type) in form submissions in all versions up to, and including, 1.15.40. This is due to insufficient input sanitization (`sanitize_text_field` strips tags but not quotes) and missing output escaping when rendering submission data in the admin Submissions view. This makes it possible for unauthenticated attackers to inject arbitrary JavaScript through a form submission that executes in the browser of an administrator who views the submission details.
nvd CVSS3.1
7.2
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.37/admin/views/F...
- https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.37/admin/views/F...
- https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.37/frontend/mode...
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/197449f5-9304-49df-926...
Published: 14 Apr 2026 · Updated: 14 Apr 2026 · First seen: 14 Apr 2026