Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder < 1.15.24 – Authenticated (Admin+) Stored Cross-Site Scripting | CVE 2024-32534 | Plugin Vulnerabilities

Description

The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.15.23 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

Fixed in 1.15.24

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/8921ea7f-5e27-4f05-b338-1c16366a8c8e

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Joel Indra

Verified

No

WPVDB ID

eeb0d4cd-5159-49db-82bb-9d8fd52f8d3d

Timeline

Publicly Published

2024-04-15 (about 2 years ago)

Added

2024-04-25 (about 2 years ago)

Last Updated

2024-04-25 (about 2 years ago)

Other

Published

Title

Published

2024-03-28

Title

Slider by Supsystic < 1.8.11 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2025-01-16

Title

Responsivity <= 0.0.6 - Reflected Cross-Site Scripting

Published

2024-03-01

Title

Ultimate Bootstrap Elements for Elementor < 1.3.7 - Contributor+ Stored XSS

Published

2023-12-18

Title

AMP for WP – Accelerated Mobile Pages < 1.0.92.1 - Authenticated (Contributor+) Cross-Site Scripting via Shortcode

Published

2023-11-08

Title

Post Pay Counter < 2.790 - Reflected XSS