Form Maker By 10Web < 1.14.12 – Admin+ Stored Cross-Site Scripting | CVE 2022-1564 | Plugin Vulnerabilities

Description

The plugin does not sanitize and escape the Custom Text settings, which could allow high privilege user such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

Proof of Concept

In a form settings, put the following payload in the Actions after submission > Action Type > Custom Text: <img src onerror=alert(/XSS/)>

The XSS will be triggered after a form is submitted

Affects Plugins

Fixed in 1.14.12

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Abhinav Porwal & Hitesh Kumar

Submitter

Abhinav Porwal & Hitesh Kumar

Submitter website

https://grey-fish.github.io

Submitter twitter

Verified

Yes

WPVDB ID

a487c7e7-667c-4c92-a427-c43cc13b348d

Timeline

Publicly Published

2022-05-09 (about 3 years ago)

Added

2022-05-09 (about 3 years ago)

Last Updated

2022-05-09 (about 3 years ago)

Other

Published

Title

Published

2025-04-11

Title

DSGVO Youtube < 1.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-06-28

Title

Events Manager < 6.4.9 - Reflected Cross-Site Scripting

Published

2025-04-24

Title

Ajax Comment Form CST <= 1.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2025-09-05

Title

Smart Table Builder < 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter

Published

2024-03-12

Title

Page Builder Gutenberg Blocks < 3.1.7 - Contributor+ Stored XSS