CVE-2026-1058
Published: 03 February 2026
Summary
CVE-2026-1058 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-1058, published on 2026-02-03, is a stored cross-site scripting (XSS) vulnerability in the Form Maker plugin for WordPress, affecting all versions up to and including 1.15.35. The flaw stems from insufficient output escaping when displaying user-supplied hidden field values in the admin submissions list. The plugin applies html_entity_decode() to these values without subsequent escaping before output, enabling HTML entity-encoded payloads to be converted back into executable JavaScript whenever an administrator views the submissions list.
Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity and no privileges required, though it relies on user interaction from an administrator accessing the submissions page. Exploitation allows injection of arbitrary web scripts into the admin submissions view, which execute in the administrator's browser context upon page load. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) and is associated with CWE-79 (Cross-site Scripting).
Advisories and patch details are documented in references including the Wordfence threat intelligence page at https://www.wordfence.com/threat-intel/vulnerabilities/id/e0ec0027-2792-4069-b413-8fdd951f5fe7?source=cve, a code changeset at https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3447011%40form-maker%2Ftrunk&old=3440395%40form-maker%2Ftrunk&sfp_email=&sfph_mail=, and vulnerable source code at https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.34/admin/views/Submissions_fm.php#L759.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5290
Vulnerability details
The Form Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via hidden field values in all versions up to, and including, 1.15.35. This is due to insufficient output escaping when displaying hidden field values in the admin submissions…
more
list. The plugin uses html_entity_decode() on user-supplied hidden field values without subsequent escaping before output, which converts HTML entity-encoded payloads back into executable JavaScript. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in the admin submissions view that will execute whenever an administrator accesses the submissions list.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in public-facing WordPress plugin directly enables remote script injection (T1190) with JavaScript execution in admin browser context (T1059.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires output filtering/escaping of user-supplied data before display, which would have blocked the html_entity_decode() XSS payload in the admin submissions view.
Mandates validation and sanitization of all untrusted input (hidden fields) to reject or neutralize script content before storage or processing.
Requires mechanisms to detect and block malicious code (including injected scripts) from executing in the context of the WordPress admin interface.