– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-1058:
This vulnerability is an unauthenticated stored cross-site scripting (XSS) flaw in the Form Maker WordPress plugin. The vulnerability affects the plugin’s admin submissions view, allowing attackers to inject malicious scripts that execute when administrators view form submissions. The CVSS score of 7.1 reflects the high impact on administrative users who control the WordPress site.

Atomic Edge research identifies the root cause in the file form-maker/admin/views/Submissions_fm.php at line 758. The plugin processes hidden field values with the html_entity_decode() function but fails to apply proper output escaping. The vulnerable code directly echoes the decoded user input without sanitization. This occurs specifically when the field type is ‘type_hidden’ in the submissions display logic.

The exploitation method involves submitting a form containing a hidden field with an HTML entity-encoded JavaScript payload. Attackers can target any form created with the plugin. The payload uses entities like <script>alert(document.cookie)</script> which the html_entity_decode() function converts back to executable JavaScript. When an administrator views the submissions list in /wp-admin/admin.php?page=submissions_fm, the malicious script executes in their browser session.

The patch adds esc_html() wrapper around the html_entity_decode() output at line 758. This change ensures that any HTML entities decoded from user input are properly escaped before being rendered in the browser. The patch also adds esc_html() to the text field output at line 768 for consistency. The version numbers in form-maker.php update from 1.15.35 to 1.15.36 to reflect the security fix.

Successful exploitation allows attackers to execute arbitrary JavaScript in the context of an administrator’s WordPress session. This can lead to complete site compromise through session hijacking, privilege escalation, backdoor installation, or content manipulation. The stored nature means a single malicious form submission affects all administrators who view the submissions page until the payload is removed.