Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder < 1.15.23 – Sensitive Information Exposure | CVE 2024-2112 | Plugin Vulnerabilities

Description

The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.15.22 via the signature functionality. This makes it possible for unauthenticated attackers to extract sensitive data including user signatures.

Affects Plugins

Fixed in 1.15.23

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/5652f9c3-3cc9-4541-8209-40117b4d25d9

Classification

Type

AUTHBYPASS

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Tim Coen

Verified

No

WPVDB ID

c36da1be-822b-4822-91a4-36786b1a0650

Timeline

Publicly Published

2024-03-22 (about 2 years ago)

Added

2024-03-22 (about 2 years ago)

Last Updated

2024-03-22 (about 2 years ago)

Other

Published

Title

Published

2023-05-22

Title

MStore API < 3.9.2 - Authentication Bypass

Published

2024-12-17

Title

Biagiotti Membership < 1.1 - Authentication Bypass via biagiotti_membership_check_facebook_user

Published

2023-11-21

Title

UserPro < 5.1.2 - Authentication Bypass to Administrator

Published

2014-09-17

Title

WordPress 3.4.2 - 3.9.2 Does Not Invalidate Sessions Upon Logout

Published

2014-08-01

Title

WordPress 3.7.1 & 3.8.1 - Potential Authentication Cookie Forgery