CVE-2026-1065: CWE-434 Unrestricted Upload of File with Dangerous Type in 10web Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.15.35. This is due to the plugin's default file upload allowlist including SVG files combined with weak substring-based extension validation. This makes it possible for unauthenticated attackers to upload malicious SVG files containing JavaScript code that will execute when viewed by administrators or site visitors via file upload fields in forms granted they can submit forms.
AI Analysis
Technical Summary
The Form Maker by 10Web plugin for WordPress suffers from CWE-434: Unrestricted Upload of File with Dangerous Type. The vulnerability arises because the plugin's default file upload allowlist includes SVG files, and the extension validation is based on weak substring matching. This flaw permits unauthenticated attackers to upload SVG files embedding malicious JavaScript. When these files are viewed by administrators or site visitors through form upload fields, the embedded script executes, leading to stored XSS. The vulnerability affects all versions up to and including 1.15.35 and has a CVSS 3.1 base score of 7.2 (high severity).
Potential Impact
Successful exploitation allows unauthenticated attackers to perform stored cross-site scripting attacks, potentially leading to the execution of arbitrary JavaScript in the context of the affected site. This can result in information disclosure or manipulation of site content as perceived by administrators or visitors. There is no indication of availability impact. No known exploits in the wild have been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch is available, administrators should consider disabling SVG uploads or restricting file upload capabilities to trusted users only. Monitoring for suspicious uploaded files and removing any untrusted SVG files may reduce risk.
CVE-2026-1065: CWE-434 Unrestricted Upload of File with Dangerous Type in 10web Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
Description
The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.15.35. This is due to the plugin's default file upload allowlist including SVG files combined with weak substring-based extension validation. This makes it possible for unauthenticated attackers to upload malicious SVG files containing JavaScript code that will execute when viewed by administrators or site visitors via file upload fields in forms granted they can submit forms.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Form Maker by 10Web plugin for WordPress suffers from CWE-434: Unrestricted Upload of File with Dangerous Type. The vulnerability arises because the plugin's default file upload allowlist includes SVG files, and the extension validation is based on weak substring matching. This flaw permits unauthenticated attackers to upload SVG files embedding malicious JavaScript. When these files are viewed by administrators or site visitors through form upload fields, the embedded script executes, leading to stored XSS. The vulnerability affects all versions up to and including 1.15.35 and has a CVSS 3.1 base score of 7.2 (high severity).
Potential Impact
Successful exploitation allows unauthenticated attackers to perform stored cross-site scripting attacks, potentially leading to the execution of arbitrary JavaScript in the context of the affected site. This can result in information disclosure or manipulation of site content as perceived by administrators or visitors. There is no indication of availability impact. No known exploits in the wild have been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch is available, administrators should consider disabling SVG uploads or restricting file upload capabilities to trusted users only. Monitoring for suspicious uploaded files and removing any untrusted SVG files may reduce risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-01-16T19:16:43.079Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69819975f9fa50a62faa53bb
Added to database: 2/3/2026, 6:45:09 AM
Last enriched: 4/9/2026, 6:24:45 PM
Last updated: 5/4/2026, 1:06:13 PM
Views: 100
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.