CVE-2026-1058

Name of the Vulnerable Software and Affected Versions Form Maker plugin for WordPress versions prior to 1.15.36

Description The Form Maker plugin for WordPress is susceptible to Stored Cross-Site Scripting through hidden field values. Insufficient output escaping when displaying these values in the admin submissions list allows for the execution of arbitrary web scripts. The plugin utilizes html entity decode() on user-supplied hidden field values without subsequent escaping before output, converting HTML entity-encoded payloads into executable JavaScript. This enables unauthenticated attackers to inject malicious scripts into the admin submissions view, which will execute when an administrator accesses the submissions list.

Recommendations Update the Form Maker plugin to version 1.15.36 or later.