Skip to main content

Form Maker CVE-2024-2258

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2024-04-27 security@wordfence.com
4.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.4 MEDIUM
AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch released
Apr 08, 2026 - 19:39 nvd
Patch available
CVE Published
Apr 27, 2024 - 04:15 nvd
MEDIUM 4.4

DescriptionCVE.org

The Form Maker by 10Web - Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a user's display name autofilled into forms in all versions up to, and including, 1.15.24 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

The Form Maker by 10Web - Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a user's display name autofilled into forms in all. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. The Form Maker by 10Web - Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a user's display name autofilled into forms in all versions up to, and including, 1.15.24 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Affected products include: 10Web Form Maker.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2023-4666 CRITICAL POC
9.8 Oct 16

The Form Maker by 10Web WordPress plugin before 1.15.20 does not validate signatures when creating them on the server fr

CVE-2019-10866 CRITICAL POC
9.8 May 23

In the Form Maker plugin before 1.13.3 for WordPress, it's possible to achieve SQL injection in the function get_labels_

CVE-2018-5991 CRITICAL POC
9.8 Feb 17

SQL Injection exists in the Form Maker 3.6.12 component for Joomla!. Rated critical severity (CVSS 9.8), this vulnerabil

CVE-2019-11590 HIGH POC
8.8 Apr 29

The 10Web Form Maker plugin before 1.13.5 for WordPress allows CSRF via the wp-admin/admin-ajax.php action parameter, wi

CVE-2018-10504 HIGH POC
7.8 Apr 27

The WebDorado "Form Maker by WD" plugin before 1.12.24 for WordPress allows CSV injection. Rated high severity (CVSS 7.8

CVE-2022-3300 HIGH POC
7.2 Oct 25

The Form Maker by 10Web WordPress plugin before 1.15.6 does not properly sanitise and escape a parameter before using it

CVE-2021-24526 MEDIUM POC
5.4 Aug 16

The Form Maker by 10Web - Mobile-Friendly Drag & Drop Contact Form Builder WordPress plugin before 1.13.60 does not esca

CVE-2024-10680 MEDIUM POC
4.8 Apr 16

The Form Maker by 10Web WordPress plugin before 1.15.32 does not sanitise and escape some of its settings, which could a

CVE-2024-13605 MEDIUM POC
4.8 Feb 24

The Form Maker by 10Web WordPress plugin before 1.15.33 does not sanitise and escape some of its settings, which could a

CVE-2024-6130 MEDIUM POC
4.8 Jul 01

The Form Maker by 10Web WordPress plugin before 1.15.26 does not sanitise and escape some of its settings, which could a

CVE-2022-1564 MEDIUM POC
4.8 May 30

The Form Maker by 10Web WordPress plugin before 1.14.12 does not sanitize and escape the Custom Text settings, which cou

CVE-2024-10558 LOW POC
3.5 Mar 24

The Form Maker by 10Web WordPress plugin before 1.15.30 does not sanitise and escape some of its settings, which could a

Share

CVE-2024-2258 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy