Form Maker < 1.13.60 – Authenticated Stored XSS | CVE 2021-24526 | Plugin Vulnerabilities

Description

The plugin does not escape its Form Title before outputting it in an attribute when editing a form in the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue

Proof of Concept

Create or edit a form and add the following payload in the Form Title field "autofocus onmouseover=alert(/XSS/)// save it and move the mouse over the Title field

Edit (WPScanTeam): better payload (no interaction needed other than editing the affected Form): " style="animation-name:rotation" onanimationstart="alert(/XSS/)//

Affects Plugins

Fixed in 1.13.60

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Felipe Restrepo Rodriguez

Submitter

Felipe Restrepo Rodriguez

Submitter website

https://pfelilpe.com

Submitter twitter

Verified

Yes

WPVDB ID

17287d8a-ba27-42dc-9370-a931ef404995

Timeline

Publicly Published

2021-07-15 (about 4 years ago)

Added

2021-07-15 (about 4 years ago)

Last Updated

2021-07-30 (about 4 years ago)

Other

Published

Title

Published

2025-11-03

Title

Free Quotation <= 3.1.6 - Authenticated (Admin+) Stored Cross-Site Scripting

Published

2025-07-02

Title

WordPress Qwizcards < 3.95 - Reflected XSS

Published

2025-01-16

Title

Altima Lookbook Free for WooCommerce <= 1.1.0 - Refletced Cross-Site Scripting

Published

2023-12-26

Title

WordPress.com Editing Toolkit < 3.79150 - Contributor+ Stored XSS

Published

2023-10-16

Title

Super Testimonials < 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode