Form Maker by 10Web < 1.15.32 - Admin+ Stored XSS
Description
The Form Maker by 10Web WordPress plugin before 1.15.32 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Form Maker by 10Web plugin before 1.15.32 allows admin-level stored XSS due to improper sanitization of settings, even in multisite where unfiltered_html is disabled.
Vulnerability
The Form Maker by 10Web plugin for WordPress before version 1.15.32 does not sanitize and escape some of its settings. This allows high privilege users, such as administrators, to inject stored cross-site scripting (XSS) payloads. The vulnerability is especially critical in multisite configurations where the unfiltered_html capability is disallowed [1].
Exploitation
An attacker with admin-level access can inject malicious scripts into plugin settings. No user interaction is required from other users; the XSS payload executes when the settings page is viewed by other admins or when the injected script is rendered elsewhere [1].
Impact
Successful exploitation leads to stored XSS, allowing the attacker to execute arbitrary JavaScript in the context of other admin users' sessions. This can result in session hijacking, defacement, or further privilege escalation within the WordPress environment [1].
Mitigation
The issue is fixed in version 1.15.32. Users should update the plugin immediately. No known workarounds have been disclosed. The vulnerability has been publicly disclosed on WPScan [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- wpscan.com/vulnerability/240948d7-ece0-437f-b926-62937bdbd9db/mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.