CVE-2026-1065 is a vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) found in the 10Web Form Maker plugin for WordPress, a popular drag-and-drop contact form builder. The vulnerability arises because the plugin's default file upload allowlist includes SVG files, which are XML-based vector images capable of embedding JavaScript. The plugin uses weak substring-based extension validation, which attackers can bypass to upload malicious SVG files containing embedded JavaScript code. These files, when uploaded through form upload fields, are stored on the server and later rendered in the context of the WordPress site. When administrators or site visitors view these files, the embedded JavaScript executes, resulting in stored cross-site scripting (XSS). This can lead to session hijacking, defacement, or further exploitation of the site. The vulnerability affects all versions up to and including 1.15.35 of the plugin. The CVSS v3.1 score is 7.2 (high), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and a scope change with partial confidentiality and integrity impact but no availability impact. No patches are currently linked, and no known exploits are reported in the wild, but the vulnerability's nature and ease of exploitation make it a critical concern for WordPress sites using this plugin.

The impact of CVE-2026-1065 is significant for organizations using the 10Web Form Maker plugin. Successful exploitation allows unauthenticated attackers to upload malicious SVG files that execute JavaScript in the context of the affected website. This can lead to theft of administrator credentials, session hijacking, defacement, unauthorized actions on behalf of users, and potential pivoting to further internal network compromise. The confidentiality and integrity of the website and its users are at risk. Since the vulnerability requires no authentication or user interaction, it can be exploited at scale by automated attacks. Organizations relying on this plugin for contact forms or other user input collection may face reputational damage, data breaches, and compliance violations if exploited. The lack of known exploits currently provides a window for proactive mitigation, but the widespread use of WordPress and the plugin increases the potential attack surface globally.

To mitigate CVE-2026-1065, organizations should immediately update the 10Web Form Maker plugin to a patched version once available. In the absence of an official patch, administrators should disable SVG file uploads in the plugin settings or globally restrict SVG uploads on the WordPress site. Implementing strict server-side validation that checks the entire file content and MIME type, not just file extensions, can prevent malicious SVG uploads. Employ Content Security Policy (CSP) headers to restrict execution of inline scripts and reduce XSS impact. Regularly audit uploaded files and monitor logs for suspicious upload activity. Additionally, hardening WordPress installations by limiting plugin permissions, using web application firewalls (WAFs) with rules targeting SVG-based XSS, and educating administrators about the risks of untrusted file uploads are recommended. Finally, consider isolating file upload directories and disabling script execution in those directories to limit damage.