Form Maker by 10Web 1.15.24 XSS via User Display Name in Contact Forms
CVE-2024-2258 Published on April 27, 2024
Form Maker by 10Web <= 1.15.24 - Authenticated (Subscriber+) Stored Self-Based Cross-Site Scripting
The Form Maker by 10Web Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a user's display name autofilled into forms in all versions up to, and including, 1.15.24 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Timeline
Disclosed
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2024-2258 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2024-2258
stack.watch emails you whenever new vulnerabilities are published in 10web Form Maker or WordPress Form Maker By 10web. Just hit a watch button to start following.
Affected Versions
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder:- Before and including 1.15.24 is affected.
- Version -, <= 1.15.24 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.