CVE-2026-1058 – The Form Maker WordPress plugin has a stored XS... (How to Fix)

Q: What is the severity of CVE-2026-1058?

CVE-2026-1058 has a CVSS score of 7.1 (HIGH). The Form Maker WordPress plugin has a stored XSS vulnerability in versions up to 1.15.35. Unauthenticated attackers can inject malicious JavaScript into hidden form fields, which executes when WordPress administrators view form submissions in the admin panel. This affects all WordPress sites using vulnerable versions of the Form Maker plugin.

📋 TL;DR

The Form Maker WordPress plugin has a stored XSS vulnerability in versions up to 1.15.35. Unauthenticated attackers can inject malicious JavaScript into hidden form fields, which executes when WordPress administrators view form submissions in the admin panel. This affects all WordPress sites using vulnerable versions of the Form Maker plugin.

💻 Affected Systems

Products:

Form Maker WordPress Plugin

Versions: All versions up to and including 1.15.35

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the Form Maker plugin to be installed and active on a WordPress site. The vulnerability is in the admin submissions view.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could compromise administrator accounts, install backdoors, steal sensitive data, or take full control of the WordPress site.

🟠

Likely Case

Attackers inject malicious scripts to steal administrator session cookies or credentials, leading to site compromise.

🟢

If Mitigated

With proper output escaping and input validation, the malicious scripts would be rendered harmless as text rather than executed.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is well-documented with public proof-of-concept references. Attackers can exploit it by submitting forms with malicious hidden field values.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.15.36 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3447011%40form-maker%2Ftrunk&old=3440395%40form-maker%2Ftrunk&sfp_email=&sfph_mail=

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Form Maker plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.15.36+ from WordPress.org and manually update.

🔧 Temporary Workarounds

Disable Form Maker Plugin

all

Temporarily disable the vulnerable plugin until patched.

wp plugin deactivate form-maker

Restrict Admin Access

all

Limit access to the WordPress admin panel to trusted IP addresses only.

🧯 If You Can't Patch

Remove or disable the Form Maker plugin entirely
Implement a web application firewall (WAF) with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Check the Form Maker plugin version in WordPress admin under Plugins → Installed Plugins. If version is 1.15.35 or lower, you are vulnerable.

Check Version:

wp plugin get form-maker --field=version

Verify Fix Applied:

After updating, verify the plugin version is 1.15.36 or higher in the WordPress plugins list.

📡 Detection & Monitoring

Log Indicators:

Unusual form submissions with encoded HTML/JavaScript in hidden fields
Multiple form submissions from same IP with varying payloads

Network Indicators:

HTTP POST requests to form submission endpoints containing encoded script tags

SIEM Query:

source="wordpress.log" AND "form-maker" AND ("hidden" OR "script" OR "javascript")

📊 Metadata

CVE ID: CVE-2026-1058

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

CWE: CWE-79

Published: February 3, 2026

Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy