CVE-2026-1058 is a stored cross-site scripting vulnerability affecting the 10Web Form Maker plugin for WordPress, up to and including version 1.15.35. The vulnerability stems from improper neutralization of input during web page generation, specifically in the admin submissions list where hidden field values are displayed. The plugin uses the PHP function html_entity_decode() on user-supplied hidden field values without applying proper output escaping afterward. This decoding converts HTML entity-encoded payloads back into executable JavaScript code. As a result, an unauthenticated attacker can inject malicious scripts into hidden form fields that are stored and later executed in the context of the administrator’s browser when they access the submissions list. This stored XSS can lead to session hijacking, privilege escalation, or further attacks on the administrative interface. The vulnerability is rated high severity with a CVSS 3.1 score of 7.1, reflecting its network attack vector, low attack complexity, no privileges required, but requiring user interaction (admin viewing submissions). The scope is changed (S:C) because the attack affects the confidentiality, integrity, and availability of the admin interface. No patches were linked at the time of publication, and no known exploits have been reported in the wild. The vulnerability highlights a common security flaw in WordPress plugins where insufficient output sanitization allows persistent script injection in administrative views.

For European organizations, this vulnerability poses a significant risk to the security of WordPress-based websites that utilize the 10Web Form Maker plugin. Successful exploitation can lead to compromise of administrator sessions, unauthorized access to sensitive submission data, and potential site defacement or further malware injection. This can result in data breaches, loss of customer trust, regulatory non-compliance (e.g., GDPR violations), and operational disruption. Since the attack requires an administrator to view the malicious submission, organizations with high administrative activity or multiple administrators are at greater risk. The vulnerability could also be leveraged as a foothold for lateral movement within the network or to escalate privileges. Given the widespread use of WordPress in Europe and the popularity of form builder plugins, the impact could be broad, affecting sectors such as e-commerce, government, education, and healthcare.

1. Immediately monitor and restrict administrative access to the WordPress backend, especially the submissions list of the 10Web Form Maker plugin, until a patch is available. 2. Apply strict input validation and output escaping on all hidden field values before rendering them in the admin interface. Use secure coding practices such as htmlspecialchars() or equivalent escaping functions after html_entity_decode() to neutralize scripts. 3. Limit the number of administrators who can access the submissions list and enforce multi-factor authentication (MFA) to reduce risk from compromised accounts. 4. Regularly audit plugin versions and update to the latest patched releases once available from 10Web. 5. Employ Web Application Firewalls (WAF) with custom rules to detect and block suspicious payloads targeting hidden fields in form submissions. 6. Educate administrators on the risks of XSS and encourage cautious behavior when reviewing form submissions. 7. Conduct regular security assessments and penetration testing focused on WordPress plugins and administrative interfaces to detect similar vulnerabilities.