The Form Maker plugin for WordPress, created by 10Web, allows users to easily create mobile-friendly contact forms using a drag and drop interface. However, it has a security vulnerability in versions up to 1.15.24 that could allow attackers to insert harmful code into forms. This could be done by filling in a user’s display name in the form, which is not properly checked for safety. This means that anyone with at least subscriber-level access to the website could potentially add malicious scripts to pages that will run when another user visits that page.