cleantalk
Vulnerabilities and Security Researches

Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder, CVE-2026-4388

CVE, Research URL

CVE-2026-4388

Home page URL

Security reports for Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder

Application

Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder

Published on
Apr 14, 2026
Research Description
The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Matrix field (Text Box input type) in form submissions in all versions up to, and including, 1.15.40. This is due to insufficient input sanitization (`sanitize_text_field` strips tags but not quotes) and missing output escaping when rendering submission data in the admin Submissions view. This makes it possible for unauthenticated attackers to inject arbitrary JavaScript through a form submission that executes in the browser of an administrator who views the submission details.
Affected versions
max 1.15.41.
Status
vulnerable
Previous vulnerability researches
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder (CVE-2024-43220) , Aug 13, 2024
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder (CVE-2024-6130) , Jul 02, 2024
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder (CVE-2025-15441) , Apr 15, 2026
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder (CVE-2026-1058) , Apr 15, 2026
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder (CVE-2026-39502) , Apr 15, 2026
New vulnerability
WooMS (CVE-2025-57957) , Apr 20, 2026
Simple User Registration (CVE-2026-0844) , Apr 20, 2026
Kubio AI Page Builder (CVE-2026-5427) , Apr 20, 2026
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder (CVE-2026-3330) , Apr 20, 2026
Sell Photo (2ce065d802b631a3fa4492d5366f0ffc4e0ee37b) , Apr 19, 2026