– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-1065:
This vulnerability is an unauthenticated stored cross-site scripting (XSS) flaw in the Form Maker by 10Web WordPress plugin. The vulnerability exists in the plugin’s file upload functionality, allowing attackers to upload malicious SVG files containing JavaScript. The uploaded files are stored on the server and execute when viewed by administrators or site visitors, leading to a high-severity impact with a CVSS score of 7.2.

The root cause is a combination of two issues in the plugin’s file upload handling. First, the plugin’s default allowlist includes SVG files. Second, the validation logic in `/form-maker/frontend/models/form_maker.php` around line 1852 uses weak substring-based extension checking rather than proper MIME type validation. This allows an attacker to upload an SVG file with embedded JavaScript. The vulnerability manifests when the uploaded file content is later output without proper escaping in the admin interface, specifically in `/form-maker/admin/views/Submissions_fm.php` at lines 759 and 768 where `$element_value` and `$textdata[‘text’]` are echoed directly.

Exploitation requires an attacker to submit a form containing a file upload field. The attacker crafts a malicious SVG file with JavaScript payloads within “ tags or event handlers (e.g., `onload`). They then submit this file via a form submission POST request to the plugin’s frontend handler. The plugin accepts the file due to the weak validation. The stored file path is later rendered in the WordPress admin panel under the Submissions page without output escaping, causing the JavaScript to execute in the victim’s browser context.

The patch addresses the issue in two locations. In `/form-maker/frontend/models/form_maker.php`, the developers added a MIME type check using `mime_content_type($fileTemp)` before moving the uploaded file. If the MIME type equals `’image/svg+xml’`, the upload is rejected. This prevents SVG files from being saved. In `/form-maker/admin/views/Submissions_fm.php`, the developers added `esc_html()` calls to sanitize the output of `$element_value` and `$textdata[‘text’]` on lines 759 and 768. This provides a secondary defense layer by ensuring any malicious content that might bypass the upload filter is neutralized during display.

Successful exploitation leads to stored XSS attacks. An attacker can inject arbitrary JavaScript that executes in the context of a logged-in administrator viewing form submissions. This can result in session hijacking, site defacement, privilege escalation, or the creation of new administrative accounts. Since the attack is unauthenticated and the payload is stored, it can affect multiple victims over time, amplifying the impact.