WordPress Form Maker Plugin Hit by Stored XSS
The National Vulnerability Database (NVD) recently detailed a significant security flaw, CVE-2026-4388, affecting the Form Maker by 10Web plugin for WordPress. This vulnerability, a Stored Cross-Site Scripting (XSS) issue, impacts all versions up to and including 1.15.40.
According to the NVD, the root cause lies in insufficient input sanitization within the Matrix field’s Text Box input type during form submissions. Specifically, while sanitize_text_field strips HTML tags, it fails to handle quotes properly. Compounding this, there’s a lack of output escaping when submission data is rendered in the administrator’s Submissions view. This oversight creates an avenue for unauthenticated attackers to inject arbitrary JavaScript code through a crafted form submission. The malicious script then executes in the browser of any administrator who views the submission details, potentially leading to session hijacking, data theft, or further compromise of the WordPress site.
Related ATT&CK Techniques
🛡️ Detection Rules
4 rules · 5 SIEM formats4 auto-generated detection rules for this incident, mapped to MITRE ATT&CK. Available in Sigma, Splunk SPL, Sentinel KQL, Elastic Lucene, and QRadar AQL.
Web Application Exploitation Attempt — CVE-2026-4388
Get this rule in your SIEM's native format — copy, paste, detect. No manual conversion.
4 Sigma rules mapped to the ATT&CK techniques from this breach — pick your SIEM and get a ready-to-paste query.
Get Detection Rules →Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-4388 | XSS | Form Maker by 10Web plugin for WordPress versions <= 1.15.40 |
| CVE-2026-4388 | XSS | Vulnerable component: Matrix field (Text Box input type) in form submissions |
| CVE-2026-4388 | XSS | Insufficient input sanitization (`sanitize_text_field` strips tags but not quotes) |
| CVE-2026-4388 | XSS | Missing output escaping when rendering submission data in the admin Submissions view |
Related Posts
Critical RCE Flaw Hits NuGet Gallery Backend
CVE-2026-39399 — NuGet Gallery is a package repository that powers nuget.org. A security vulnerability exists in the NuGetGallery backend job’s handling of .nuspec files within...
BoidCMS LFI to RCE: A Critical Template Flaw
CVE-2026-39387 — BoidCMS is an open-source, PHP-based flat-file CMS for building simple websites and blogs, using JSON as its database. Versions prior to 2.1.3 are...
Nanobot AI: WebSocket Hijack Puts WhatsApp Sessions at Risk
CVE-2026-35589 — nanobot is a personal AI assistant. Versions prior to 0.1.5 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability exists in the bridge's WebSocket server...