[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fReV98fUOFZh0tKg4P8WJvXj9gFO3xxPBEx_JrrrUNGc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-1058","form-maker-by-10web-unauthenticated-stored-cross-site-scripting-via-hidden-field","Form Maker by 10Web \u003C= 1.15.35 - Unauthenticated Stored Cross-Site Scripting via Hidden Field","The Form Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via hidden field values in all versions up to, and including, 1.15.35. This is due to insufficient output escaping when displaying hidden field values in the admin submissions list. The plugin uses html_entity_decode() on user-supplied hidden field values without subsequent escaping before output, which converts HTML entity-encoded payloads back into executable JavaScript. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in the admin submissions view that will execute whenever an administrator accesses the submissions list.","form-maker",null,"\u003C=1.15.35","1.15.36","high",7.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:L","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-02 18:21:06","2026-02-03 06:38:07",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fe0ec0027-2792-4069-b413-8fdd951f5fe7?source=api-prod",1,[],"researched",false,3,"This research plan targets **CVE-2026-1058**, a stored Cross-Site Scripting (XSS) vulnerability in the \"Form Maker by 10Web\" plugin. The vulnerability arises because the plugin uses `html_entity_decode()` on hidden field values before displaying them in the admin submissions list, without subsequent escaping.\n\n### 1. Vulnerability Summary\n* **Vulnerability:** Unauthenticated Stored XSS.\n* **Affected Component:** Admin Submissions View (Submissions list\u002Fdetails).\n* **Root Cause:** Improper output neutralization. User-supplied input for \"Hidden\" type fields is processed with `html_entity_decode()`. If an attacker submits a payload using HTML entities (e.g., `<script>`), the plugin decodes it back into executable HTML\u002FJavaScript (`\u003Cscript>`) and echoes it to the administrator's browser.\n* **Affected Versions:** \u003C= 1.15.35.\n\n### 2. Attack Vector Analysis\n* **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Action:** `form_maker_submit` (inferred from standard Form Maker submission logic).\n* **Vulnerable Parameter:** The value associated with a \"Hidden\" field type. These are typically sent in the `POST` body as part of the form data (e.g., `submission_data` or indexed field parameters like `field_1`, `field_2`).\n* **Authentication:** None (Unauthenticated).\n* **Preconditions:** A form must exist that contains at least one \"Hidden\" field.\n\n### 3. Code Flow\n1. **Submission (Public):**\n * The frontend form sends a `POST` request to `admin-ajax.php` with `action=form_maker_submit` (inferred).\n * The plugin receives the data and saves it to the `{wp_prefix}form_maker_submits` table.\n2. **Processing (Admin):**\n * An administrator navigates to **Form Maker > Submissions**.\n * The plugin fetches the submissions for the specific form.\n * The code iterates through the fields. When it encounters a field defined as type `hidden`, it retrieves the stored value.\n * **The Sink:** The plugin calls `html_entity_decode($field_value)` and `echo`s the result directly into the table cell or detail view.\n * If the value was `<img src=x onerror=alert(1)>`, it becomes `\u003Cimg src=x onerror=alert(1)>` in the DOM, triggering execution.\n\n### 4. Nonce Acquisition Strategy\nForm Maker typically requires a frontend nonce for form submission to prevent automated spam.\n\n1. **Identify Shortcode:** The plugin uses `[form_maker id=\"ID\"]`.\n2. **Create Test Page:**\n * `wp post create --post_type=page --post_status=publish --post_title=\"Contact\" --post_content='[form_maker id=\"1\"]'` (assuming Form ID 1 exists).\n3. **Navigate and Extract:**\n * Use `browser_navigate` to the newly created page.\n * Form Maker localizes its data in a variable, often named `fm_object` or similar, or attaches nonces to the form DOM.\n * **Inferred JS Variable:** `window.fm_object?.ajax_nonce` or `window.fm_ajax?.nonce`.\n * **Alternative:** Extract from the hidden input field in the form: `browser_eval(\"document.querySelector('input[name=\\\"fm_nonce\\\"]')?.value\")`.\n\n### 5. Exploitation Strategy\nThe goal is to submit a form containing a payload in a hidden field.\n\n* **Step 1: Discovery**\n * Locate an existing form ID: `wp db query \"SELECT id FROM wp_form_maker\"`\n * Check if it has a hidden field: `wp db query \"SELECT * FROM wp_form_maker WHERE id=1\"` (Analyze the `form_fields` column which is usually JSON).\n* **Step 2: Setup (If needed)**\n * If no form exists or no form has a hidden field, create one via WP-CLI or the UI (see Section 6).\n* **Step 3: Submission Request**\n * **Method:** `POST`\n * **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n * **Content-Type:** `application\u002Fx-www-form-urlencoded`\n * **Body (Example):**\n ```text\n action=form_maker_submit&\n form_id=1&\n field_1=NormalData&\n field_HIDDEN_ID=<img src=x onerror=alert(document.domain)>&\n nonce=[EXTRACTED_NONCE]\n ```\n * *Note: `field_HIDDEN_ID` represents the actual ID\u002Fname of the hidden field in the form.*\n\n### 6. Test Data Setup\n1. **Create a Form:** Ensure a form exists with a hidden field.\n * If creating manually via WP-CLI is complex due to serialized\u002FJSON data, use `browser_navigate` to `wp-admin\u002Fadmin.php?page=form_maker` and create a form with one \"Hidden\" field.\n2. **Identify Field IDs:** Note the ID assigned to the hidden field (e.g., `4`).\n3. **Publish Form:** Create a page with the shortcode `[form_maker id=\"X\"]` where X is the new form ID.\n\n### 7. Expected Results\n* The `http_request` for submission should return a success message (e.g., `{\"status\":\"success\"}` or a success redirect).\n* When an admin logs in and visits **Form Maker > Submissions**, the browser should execute the JavaScript in the context of the WordPress admin.\n\n### 8. Verification Steps\n1. **Database Check:**\n * `wp db query \"SELECT * FROM wp_form_maker_submits ORDER BY id DESC LIMIT 1\"`\n * Verify the `element_value` for the hidden field contains the payload `<img src=x onerror=alert(document.domain)>`.\n2. **UI Check (Automated):**\n * Log in as admin.\n * Navigate to the submissions page for the specific form.\n * Use `browser_eval(\"document.body.innerHTML.includes('\u003Cimg src=x onerror=alert')\")` to confirm the decoded payload is present in the source.\n\n### 9. Alternative Approaches\n* **Double Encoding:** If the plugin has some sanitization on submission, try double encoding the payload: `&lt;script&gt;`.\n* **Submission via Frontend:** Instead of `admin-ajax.php`, navigate to the published page using `browser_navigate` and use `browser_type` to fill and submit the form, which ensures all required JS-generated fields are included.\n* **Different Hidden Source:** Form Maker hidden fields can sometimes be populated via URL parameters. Try: `http:\u002F\u002Flocalhost:8080\u002Fcontact-page\u002F?hidden_field_name=<script>alert(1)<\u002Fscript>` and then submitting the form normally.","The Form Maker plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting via hidden field values. The plugin incorrectly uses html_entity_decode() on user-supplied hidden field input before displaying it in the admin submissions list, allowing attackers to bypass initial entity encoding and execute arbitrary JavaScript in an administrator's browser session.","\u002F\u002F Inferred from research plan code flow analysis\n\u002F\u002F Located in the submissions display logic, likely in admin views\n\nif ($field_type === 'hidden') {\n \u002F\u002F The plugin retrieves the stored value and decodes entities without subsequent escaping\n echo html_entity_decode($field_value);\n}","--- a\u002Fadmin\u002Fviews\u002FWDFMViewSubmissions.php\n+++ b\u002Fadmin\u002Fviews\u002FWDFMViewSubmissions.php\n@@ -10,7 +10,7 @@\n if ($field_type == 'hidden') {\n- echo html_entity_decode($field_value);\n+ echo esc_html($field_value);\n }","1. Identify a public-facing form created by Form Maker that contains at least one 'Hidden' field type.\n2. Extract the required submission nonce (typically found in the form's HTML as a hidden input named 'fm_nonce' or localized in the 'fm_object' JavaScript variable).\n3. Craft a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the action 'form_maker_submit' and the target form ID.\n4. In the parameter corresponding to the hidden field, include an HTML-entity-encoded XSS payload (e.g., '<img src=x onerror=alert(document.domain)>').\n5. Wait for an administrator to view the submissions for that specific form in the WordPress dashboard.\n6. Upon loading the submissions list, the plugin decodes the entity-encoded payload back into executable HTML, triggering the script in the admin's session.","gemini-3-flash-preview","2026-04-27 17:03:03","2026-04-27 17:04:12",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","1.15.35","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fform-maker\u002Ftags\u002F1.15.35","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fform-maker.1.15.35.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fform-maker\u002Ftags\u002F1.15.36","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fform-maker.1.15.36.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fform-maker\u002Ftags"]