📄 Description (English)
The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.15.35. This is due to the plugin's default file upload allowlist including SVG files combined with weak substring-based extension validation. This makes it possible for unauthenticated attackers to upload malicious SVG files containing JavaScript code that will execute when viewed by administrators or site visitors via file upload fields in forms granted they can submit forms.
🤖 AI Executive Summary
The Form Maker by 10Web WordPress plugin (versions up to 1.15.35) contains a Stored Cross-Site Scripting (XSS) vulnerability allowing unauthenticated attackers to upload malicious SVG files with embedded JavaScript. The vulnerability exploits weak extension validation and SVG inclusion in default file upload allowlists, enabling code execution when administrators or visitors view uploaded files. This affects any WordPress installation using vulnerable versions of the plugin with active form submission capabilities.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 8, 2026 21:45
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using WordPress for government portals, banking customer service forms, healthcare patient intake systems, e-commerce platforms, and telecommunications customer support are at significant risk. Government entities under NCA oversight, SAMA-regulated financial institutions, and healthcare providers under MOH supervision face elevated risk due to potential data exfiltration and credential theft through malicious form submissions. The vulnerability is particularly critical for organizations processing sensitive customer data through web forms, including PII, financial information, and health records. E-commerce and fintech sectors relying on WordPress plugins for payment form processing face compliance violations under SAMA CSF and PCI DSS requirements.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Healthcare and Medical Services
Energy and Utilities
Telecommunications
E-commerce and Retail
Education
Insurance
🎯 MITRE ATT&CK Techniques
T1190 - Exploit Public-Facing Application
T1434 - External Remote Services
T1598 - Phishing
T1566 - Phishing
T1204 - User Execution
T1059 - Command and Scripting Interpreter
T1059.007 - JavaScript/JScript
T1071 - Application Layer Protocol
T1041 - Exfiltration Over C2 Channel
T1567 - Exfiltration Over Web Service
T1005 - Data from Local System
T1213 - Data from Information Repositories
⚖️ Saudi Risk Score (AI)
7.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all WordPress installations using Form Maker by 10Web plugin and document current versions
2. Disable form submission functionality on affected plugins until patching is completed
3. Review uploaded files in the past 90 days for suspicious SVG files with JavaScript content
4. Audit access logs for unauthorized file uploads and subsequent administrator/visitor access
PATCHING GUIDANCE:
1. Update Form Maker by 10Web to version 1.15.36 or later immediately
2. Test patches in staging environment before production deployment
3. Clear browser cache and CDN cache after patching
COMPENSATING CONTROLS (if immediate patching not possible):
1. Implement Web Application Firewall (WAF) rules to block SVG file uploads
2. Configure file upload restrictions to exclude SVG from allowed extensions
3. Implement Content Security Policy (CSP) headers to prevent inline script execution
4. Restrict file upload permissions to authenticated users only
5. Store uploaded files outside web root or in non-executable directories
6. Implement file type validation on server-side using MIME type checking, not just extension validation
DETECTION RULES:
1. Monitor for POST requests to form submission endpoints with SVG file uploads
2. Alert on SVG files containing <script>, javascript:, or event handler attributes
3. Track administrator access to uploaded file directories
4. Monitor for unusual JavaScript execution in form submission contexts
5. Log all file uploads with file type, size, and submitter IP address
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع تثبيتات WordPress التي تستخدم مكون Form Maker من 10Web وتوثيق الإصدارات الحالية
2. تعطيل وظيفة تقديم النماذج على المكونات المتأثرة حتى يتم إصلاحها
3. مراجعة الملفات المرفوعة في آخر 90 يوماً بحثاً عن ملفات SVG المريبة التي تحتوي على محتوى JavaScript
4. تدقيق سجلات الوصول للرفع غير المصرح به للملفات والوصول اللاحق من المسؤولين أو الزوار
إرشادات التصحيح:
1. تحديث Form Maker من 10Web إلى الإصدار 1.15.36 أو أحدث فوراً
2. اختبار التصحيحات في بيئة التطوير قبل نشرها في الإنتاج
3. مسح ذاكرة التخزين المؤقت للمتصفح و CDN بعد التصحيح
الضوابط البديلة (إذا لم يكن الإصلاح الفوري ممكناً):
1. تنفيذ قواعد جدار حماية تطبيقات الويب (WAF) لحظر رفع ملفات SVG
2. تكوين قيود رفع الملفات لاستبعاد SVG من الامتدادات المسموحة
3. تنفيذ رؤوس سياسة أمان المحتوى (CSP) لمنع تنفيذ البرامج النصية المضمنة
4. تقييد أذونات رفع الملفات للمستخدمين المصرح لهم فقط
5. تخزين الملفات المرفوعة خارج جذر الويب أو في مجلدات غير قابلة للتنفيذ
6. تنفيذ التحقق من نوع الملف على جانب الخادم باستخدام فحص نوع MIME وليس فقط التحقق من امتداد الملف
قواعد الكشف:
1. مراقبة طلبات POST إلى نقاط نهاية تقديم النماذج برفع ملفات SVG
2. التنبيه على ملفات SVG التي تحتوي على <script> أو javascript: أو سمات معالجات الأحداث
3. تتبع وصول المسؤول إلى مجلدات الملفات المرفوعة
4. مراقبة تنفيذ JavaScript غير العادي في سياقات تقديم النماذج
5. تسجيل جميع رفع الملفات مع نوع الملف والحجم وعنوان IP المرسل
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information Security Policies and Procedures
A.6.1.1 - Access Control Policy
A.8.2.1 - User Endpoint Devices
A.8.3.1 - Information and Other Associated Assets
A.12.2.1 - Restrictions on Software Installation
A.12.4.1 - Event Logging
A.12.4.3 - Administrator and Operator Logs
A.13.1.1 - Network Security Perimeter
A.13.1.3 - Segregation of Networks
A.14.2.1 - Secure Development Policy
🔵 SAMA CSF
ID.GV-1 - Organizational cybersecurity policy is established and communicated
PR.AC-1 - Identities and credentials are issued and managed
PR.DS-1 - Data-at-rest is protected
PR.DS-2 - Data-in-transit is protected
PR.PT-1 - Audit/log records are determined, documented, implemented, and reviewed
DE.AE-1 - A baseline of network operations and expected data flows for users and systems is established and managed
DE.CM-1 - The network is monitored to detect potential cybersecurity events
RS.RP-1 - Response is executed and coordinated with external parties
🟡 ISO 27001:2022
5.1 - Policies for information security
6.5 - Access control
8.1 - Information security risk assessment
8.2 - Information security risk treatment
8.3 - Information security risk acceptance
8.32 - Change management
8.33 - Test information and communication technology (ICT) changes
8.34 - Protection of information systems with cryptography
A.5.1.1 - Policies for information security
A.8.1.1 - User endpoint devices
A.8.2.1 - User access management
A.12.2.1 - Restrictions on software installation
A.12.4.1 - Event logging
A.12.6.1 - Management of technical vulnerabilities
A.14.2.1 - Secure development policy and procedures
🟣 PCI DSS v4.0.1
Requirement 1.1 - Firewall configuration standards
Requirement 2.1 - Always change vendor-supplied defaults
Requirement 6.2 - Ensure security patches are installed
Requirement 6.5.1 - Injection flaws prevention
Requirement 6.5.7 - Cross-site scripting (XSS) prevention
Requirement 6.5.10 - Broken authentication prevention
Requirement 10.2 - Implement automated audit trails
Requirement 10.3 - Protect audit trail history
🔗 References & Sources 5
🔗
🔗
🔗
🔗
🔗
https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.34/frontend/models/form...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.34/frontend/models/form...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.34/js/add_field.js#L2364
security@wordfence.com
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=344701...
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/8230d5f8-01d9-465a-8a43-e9852...
security@wordfence.com