CVE-2026-1058 is a stored cross-site scripting vulnerability classified under CWE-79 found in the Form Maker by 10Web plugin for WordPress, a popular drag-and-drop contact form builder. The vulnerability exists in all versions up to 1.15.35 due to improper neutralization of input during web page generation. Specifically, the plugin uses the PHP function html_entity_decode() on user-supplied hidden field values when rendering the admin submissions list. This function decodes HTML entities back into their original characters, including executable JavaScript code, but the plugin fails to apply proper output escaping afterward. As a result, an attacker can inject malicious JavaScript payloads into hidden form fields that are stored and later executed in the browser context of any administrator viewing the submissions list. Since the vulnerability is exploitable without authentication, it poses a significant risk. The attack vector is remote network access with low complexity and no privileges required. The vulnerability impacts the confidentiality (e.g., stealing admin cookies), integrity (e.g., modifying admin interface behavior), and availability (e.g., triggering denial of service) of the affected WordPress sites. Although no public exploits have been reported yet, the widespread use of this plugin and WordPress’s popularity make this a critical issue to address promptly.

The impact of CVE-2026-1058 is substantial for organizations using the vulnerable Form Maker plugin. Successful exploitation allows unauthenticated attackers to execute arbitrary JavaScript in the context of an administrator’s browser, potentially leading to session hijacking, theft of sensitive information, unauthorized actions within the admin panel, and pivoting to further compromise the WordPress site or underlying infrastructure. This can result in data breaches, defacement, malware distribution, or complete site takeover. Because the vulnerability affects the admin submissions interface, it directly targets privileged users, increasing the risk severity. Organizations relying on this plugin for contact forms or data collection may face operational disruption and reputational damage if exploited. The vulnerability’s ease of exploitation and the critical role of WordPress in many organizations worldwide amplify its potential impact.

To mitigate CVE-2026-1058, organizations should immediately update the Form Maker plugin to a patched version once released by 10Web. Until a patch is available, administrators should restrict access to the WordPress admin panel to trusted IP addresses and enforce multi-factor authentication to reduce the risk of exploitation. Additionally, implement web application firewall (WAF) rules to detect and block suspicious payloads targeting hidden form fields. Review and sanitize all user inputs rigorously, especially hidden fields, and ensure output encoding is properly applied when rendering data in the admin interface. Monitoring admin activity logs for unusual behavior and educating administrators about the risk of opening submissions from untrusted sources can further reduce exposure. Finally, consider temporarily disabling the Form Maker plugin if the risk is unacceptable and no immediate patch is available.