vulnerability

WordPress Plugin: form-maker: CVE-2026-1065: Unrestricted Upload of File with Dangerous Type

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
6	(AV:N/AC:L/Au:N/C:P/I:P/A:N)	Feb 2, 2026	Feb 3, 2026	Feb 4, 2026

Severity

CVSS

(AV:N/AC:L/Au:N/C:P/I:P/A:N)

Published

Feb 2, 2026

Added

Feb 3, 2026

Modified

Feb 4, 2026

Description

The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.15.35. This is due to the plugin's default file upload allowlist including SVG files combined with weak substring-based extension validation. This makes it possible for unauthenticated attackers to upload malicious SVG files containing JavaScript code that will execute when viewed by administrators or site visitors via file upload fields in forms granted they can submit forms.

Solution

form-maker-plugin-cve-2026-1065

References

URL-https://www.cve.org/CVERecord?id=CVE-2026-1065
URL-https://www.wordfence.com/threat-intel/vulnerabilities/id/8230d5f8-01d9-465a-8a43-e9852248bb3d?source=api-prod
CVE-2026-1065
https://attackerkb.com/topics/CVE-2026-1065
CWE-434

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today