Form Maker by 10Web < 1.15.25 – Authenticated (Subscriber+) Stored Self-Based Cross-Site Scripting | CVE 2024-2258 | Plugin Vulnerabilities

Description

The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a user's display name autofilled into forms in all versions up to, and including, 1.15.24 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Fixed in 1.15.25

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/af1075a5-9efa-4b86-9798-6dbafcba4db5

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

stealthcopter

Verified

No

WPVDB ID

cad053ae-609f-4e74-9b26-6b74a2010023

Timeline

Publicly Published

2024-04-26 (about 16 days ago)

Added

2024-04-26 (about 15 days ago)

Last Updated

2024-04-26 (about 15 days ago)

Other

Published

Title

Published

2018-10-26

Title

Flow-Flow Social Stream <= 3.0.71 - Unauthenticated Cross-Site Scripting (XSS)

Published

2022-10-21

Title

Quiz And Survey Master < 7.3.5 - Reflected Cross-Site Scripting

Published

2024-03-28

Title

Otter Blocks < 2.6.6 - Contributor+ Stored XSS

Published

2024-04-25

Title

PopupAlly <= 2.1.1 - Authenticated (Admin+) Stored Cross-Site Scripting

Published

2023-11-29

Title

List all posts by Authors, nested Categories and Title < 2.8.3 - CSRF