VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 34 known issues Latest disclosed Apr 13, 2026

Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder Vulnerabilities

Review known vulnerability records for the WordPress plugin Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder (`form-maker`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-4388, CVE-2026-39502 and CVE-2026-1058, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
34
High or Critical
11
Patch Coverage
100%
Last Updated
Apr 13, 2026
Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
34 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
1 critical and 10 high severity findings.
Recent CVEs
CVE-2026-4388, CVE-2026-39502 and CVE-2026-1058
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder

Sorted by latest disclosure date so newly published issues surface first.

Plugin High Patched: Yes CVE-2026-4388
Form Maker by 10Web <= 1.15.40 - Unauthenticated Stored Cross-Site Scripting via Matrix Field Text Box

The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Matrix field (Text Box input type) in form submissions in all versions up to, and including, 1.15.40. This is due to insufficient input sanitization (`sanitize_text_field` strips tag...

Published
Apr 13, 2026
Patched Release
1.15.41
Affected Versions
Versions up to 1.15.40
Next Step
Update to 1.15.41 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2026-39502
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder <= 1.15.38 - Unauthenticated SQL Injection

The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.15.38 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing...

Published
Apr 08, 2026
Patched Release
1.15.39
Affected Versions
Versions up to 1.15.38
Next Step
Update to 1.15.39 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2026-1058
Form Maker by 10Web <= 1.15.35 - Unauthenticated Stored Cross-Site Scripting via Hidden Field

The Form Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via hidden field values in all versions up to, and including, 1.15.35. This is due to insufficient output escaping when displaying hidden field values in the admin submissions list. The plugin uses h...

Published
Feb 02, 2026
Patched Release
1.15.36
Affected Versions
Versions up to 1.15.35
Next Step
Update to 1.15.36 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2026-1065
Form Maker by 10Web <= 1.15.35 - Unauthenticated Stored Cross-Site Scripting via SVG file

The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.15.35. This is due to the plugin's default file upload allowlist including SVG files combined with weak substring-based extension validation. This mak...

Published
Feb 02, 2026
Patched Release
1.15.36
Affected Versions
Versions up to 1.15.35
Next Step
Update to 1.15.36 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-48341
Form Maker by 10Web <= 1.15.33 - Authenticated (Administrator+) Stored Cross-Site Scripting

The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.15.33 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and...

Published
May 19, 2025
Patched Release
1.15.34
Affected Versions
Versions up to 1.15.33
Next Step
Update to 1.15.34 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-10680
Form Maker by 10Web <= 1.15.31 - Authenticated (Administrator+) Stored Cross-Site Scripting

The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.15.31 due to insufficient input sanitization and output escaping. This makes it...

Published
Mar 26, 2025
Patched Release
1.15.32
Affected Versions
Versions up to 1.15.31
Next Step
Update to 1.15.32 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-10560
Form Maker by 10Web <= 1.15.29 - Authenticated (Admin+) Stored Cross-Site Scripting

The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.15.29 due to insufficient input sanitization and output escaping. This makes it...

Published
Mar 11, 2025
Patched Release
1.15.30
Affected Versions
Versions up to 1.15.29
Next Step
Update to 1.15.30 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-10560
Form Maker by 10Web <= 1.15.29 - Authenticated (Admin+) Stored Cross-Site Scripting

The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.15.29 due to insufficient input sanitization and output escaping. This makes it...

Published
Mar 03, 2025
Patched Release
1.15.30
Affected Versions
Versions up to 1.15.29
Next Step
Update to 1.15.30 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-10558
Form Maker by 10Web <= 1.15.29 - Authenticated (Admin+) Stored Cross-Site Scripting

The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.15.29 due to insufficient input sanitization and output escaping. This makes it...

Published
Mar 02, 2025
Patched Release
1.15.30
Affected Versions
Versions up to 1.15.29
Next Step
Update to 1.15.30 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-13053
Form Maker by 10Web <= 1.15.32 - Authenticated (Admin+) Stored Cross-Site Scripting

The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.15.32 due to insufficient input sanitization and output escaping. This makes it...

Published
Feb 07, 2025
Patched Release
1.15.33
Affected Versions
Versions up to 1.15.32
Next Step
Update to 1.15.33 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-13605
Form Maker by 10Web <= 1.15.32 - Authenticated (Admin+) Stored Cross-Site Scripting

The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.15.32 due to insufficient input sanitization and output escaping. This makes it...

Published
Feb 03, 2025
Patched Release
1.15.33
Affected Versions
Versions up to 1.15.32
Next Step
Update to 1.15.33 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-10562
Form Maker by 10Web <= 1.15.30 - Authenticated (Admin+) Stored Cross-Site Scripting

The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.15.30 due to insufficient input sanitization and output escaping. This makes it...

Published
Dec 17, 2024
Patched Release
1.15.31
Affected Versions
Versions up to 1.15.30
Next Step
Update to 1.15.31 or newer if supported.
Open Full Report Open CVE Reference