Form Maker by 10Web < 1.13.40 – Authenticated Reflected XSS

Description

The 'Form Maker by 10Web' WordPress plugin is vulnerable to XSS in the 'blocked_ips_fm' page. A logged-in site administrator who follows a crafted link will trigger arbitrary JavaScript code to be run in their browser in the context of their privileged account on the WordPress site.

Proof of Concept

https://example.com/wp-admin/admin.php?page=blocked_ips_fm&s="+type=image+src=1+onerror="alert(/XSS/)

Affects Plugins

form-maker

Fixed in 1.13.40

References

URL

https://plugins.trac.wordpress.org/changeset/2339260

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

8.3 (high)

Miscellaneous

Original Researcher

Andy Tyler (@ticarpi)

Submitter

Andy Tyler

Submitter website

https://www.ticarpi.com

Submitter twitter

https://twitter.com/ticarpi

Verified

Yes

WPVDB ID

77b9452b-41f3-4ba4-a84a-e49df0113f92

Timeline

Publicly Published

2020-07-12 (about 5 years ago)

Added

2020-07-12 (about 5 years ago)

Last Updated

2020-07-12 (about 5 years ago)

Other

Published

Title

Published

2023-02-02

Title

Image Hover Effects for Elementor with Lightbox and Flipbox < 3.0 - Reflected XSS

Published

2025-02-16

Title

easy-broken-link-checker <= 9.0.2 - Admin+ Stored XSS

Published

2025-02-03

Title

Simple Select All Text Box <= 3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2026-02-27

Title

UberSlider Ultra <= 2.3 - Reflected Cross-Site Scripting

Published

2023-10-25

Title

VK Filter Search < 2.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode