Form Maker by 10Web < 1.15.33 - Admin+ Stored XSS
Description
The Form Maker by 10Web WordPress plugin before 1.15.33 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Form Maker by 10Web plugin before 1.15.33 allows admin-level stored XSS via unsanitized settings, bypassing unfiltered_html restrictions.
Vulnerability
The Form Maker by 10Web WordPress plugin versions prior to 1.15.33 fail to sanitize and escape some of its settings, allowing stored cross-site scripting (XSS). This vulnerability is exploitable by high-privilege users (admin) even when the unfiltered_html capability is disallowed, such as in multisite setups. [1]
Exploitation
An attacker with admin privileges can inject malicious JavaScript into plugin settings. The injected script is stored and executed when other users, including lower-privileged users, view the affected settings page. No additional network access or user interaction beyond admin login is required. [1]
Impact
Successful exploitation results in stored XSS, allowing the attacker to execute arbitrary JavaScript in the context of other users' browsers. This can lead to session hijacking, defacement, or further compromise of the WordPress site. The attack bypasses unfiltered_html restrictions, making it particularly effective in multisite environments. [1]
Mitigation
The vulnerability is fixed in version 1.15.33 of the Form Maker by 10Web plugin. Users should update to this version or later. No workarounds are documented. The plugin is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date. [1]
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <1.15.33
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- wpscan.com/vulnerability/d5543b3b-1c28-481b-aba4-9a07d160e1f2/mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.