CVE-2026-1065 Overview
The Form Maker by 10Web plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in all versions up to and including 1.15.35. The vulnerability stems from the plugin's default file upload allowlist including SVG files, combined with weak substring-based extension validation. This security flaw allows unauthenticated attackers to upload malicious SVG files containing embedded JavaScript code that executes when viewed by administrators or site visitors through file upload fields in forms.
Critical Impact
Unauthenticated attackers can inject persistent JavaScript code via malicious SVG uploads, potentially leading to session hijacking, administrative account takeover, website defacement, or malware distribution to site visitors.
Affected Products
- Form Maker by 10Web WordPress Plugin versions ≤ 1.15.35
- WordPress installations with vulnerable Form Maker plugin enabled
- Sites with forms containing file upload fields that accept SVG files
Discovery Timeline
- February 3, 2026 - CVE-2026-1065 published to NVD
- February 3, 2026 - Last updated in NVD database
Technical Details for CVE-2026-1065
Vulnerability Analysis
This Stored Cross-Site Scripting vulnerability exploits a combination of two security weaknesses in the Form Maker plugin's file upload handling mechanism. First, the plugin's default configuration includes SVG files in the allowed upload extensions list. SVG files are XML-based vector graphics that can contain embedded JavaScript via <script> tags, event handlers, or other scripting mechanisms. Second, the plugin employs weak substring-based extension validation rather than strict content-type verification, making it trivial for attackers to bypass security controls.
When an unauthenticated user submits a form with a file upload field, they can upload a specially crafted SVG file containing malicious JavaScript. This script persists on the server and executes in the browser context of any user who subsequently views the uploaded file, including administrators. The cross-site nature of this vulnerability (scope changed in the attack) means the malicious script can affect resources beyond the vulnerable component, potentially compromising the entire WordPress installation.
Root Cause
The root cause is twofold: an overly permissive default allowlist that includes SVG files capable of containing executable code, and insufficient validation that relies on substring matching for file extension checks. This approach fails to prevent malicious file uploads because it does not validate the actual content of uploaded files or properly sanitize SVG content to remove scripting elements. The vulnerable code paths can be traced through the frontend form processing model and the field addition JavaScript.
Attack Vector
The attack is network-based and requires no authentication or user interaction to exploit. An attacker identifies a WordPress site running a vulnerable version of Form Maker with a form containing file upload functionality. The attacker crafts an SVG file embedding malicious JavaScript—such as code to steal admin cookies, create backdoor accounts, or inject additional payloads. The attacker submits this SVG through the form's file upload field. When an administrator views uploaded files or when the SVG is rendered anywhere on the site, the JavaScript executes in the victim's browser context with their session privileges.
The malicious SVG payload could contain script elements that redirect users to phishing pages, exfiltrate session tokens to attacker-controlled servers, or modify WordPress settings if executed in an administrator's session. For detailed technical analysis, refer to the Wordfence Vulnerability Analysis.
Detection Methods for CVE-2026-1065
Indicators of Compromise
- Presence of SVG files in WordPress upload directories containing <script> tags, onload, onerror, or other JavaScript event handlers
- Unexpected SVG files in wp-content/uploads/ directories, particularly from form submissions
- Web server access logs showing POST requests to form endpoints followed by access to uploaded SVG files
- Browser developer console errors or unexpected script execution when viewing form submission data
Detection Strategies
- Implement file integrity monitoring to detect new SVG uploads in WordPress media directories
- Configure web application firewall (WAF) rules to inspect uploaded SVG content for JavaScript and event handlers
- Review WordPress plugin logs and form submission records for anomalous file uploads from unknown sources
- Deploy endpoint detection to identify SVG files with embedded scripting content in web directories
Monitoring Recommendations
- Enable comprehensive logging for file upload activities in WordPress and review regularly
- Monitor for outbound connections from admin sessions to unknown external domains
- Set up alerts for new user account creation or privilege escalation events that could indicate post-exploitation activity
- Implement Content Security Policy (CSP) headers to mitigate XSS impact and monitor for CSP violation reports
How to Mitigate CVE-2026-1065
Immediate Actions Required
- Update Form Maker by 10Web plugin to version 1.15.36 or later immediately
- Audit existing uploaded files for SVG content containing JavaScript or event handlers and remove any suspicious files
- Temporarily disable file upload functionality in forms until the plugin is updated
- Review administrator accounts and active sessions for signs of compromise
Patch Information
The vulnerability has been addressed in Form Maker version 1.15.36. The patch implements stricter file validation and removes SVG from the default allowed extensions list or properly sanitizes SVG content. Review the official changeset for technical details on the security fix. Update through the WordPress admin dashboard by navigating to Plugins → Installed Plugins → Form Maker → Update, or via WP-CLI using wp plugin update form-maker.
Workarounds
- Remove svg and svgz from the allowed file extensions in Form Maker's file upload field settings
- Implement server-side SVG sanitization using libraries that strip scripting elements before storing uploaded files
- Configure .htaccess or nginx rules to serve SVG files with Content-Disposition: attachment header to prevent inline rendering
- Deploy a WAF rule to block SVG uploads containing script tags or JavaScript event handlers
# Apache .htaccess configuration to force SVG download instead of inline rendering
<FilesMatch "\.svg$">
Header set Content-Disposition "attachment"
Header set X-Content-Type-Options "nosniff"
</FilesMatch>
# Nginx configuration equivalent
location ~* \.svg$ {
add_header Content-Disposition "attachment";
add_header X-Content-Type-Options "nosniff";
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
