Form Maker by 10Web is a widely used plugin for creating and managing forms in WordPress. However, a critical vulnerability, CVE-2024-10562, has been discovered in the plugin that allows for Stored Cross-Site Scripting (XSS) attacks. This flaw enables attackers with editor-level privileges to inject malicious JavaScript code into form settings, which is stored and executed when the form is rendered. The injected script can create a backdoor, allowing attackers to escalate their privileges and potentially gain full control over the site. With over 50,000 active installations, this vulnerability poses a significant security risk for WordPress websites using Form Maker by 10Web.
| CVE | CVE-2024-10562 |
| Plugin | Form Maker by 10Web < 1.15.31 |
| Critical | High |
| All Time | 2 154 561 |
| Active installations | 50 000+ |
| Publicly Published | December 17, 2024 |
| Last Updated | December 17, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10562 https://wpscan.com/vulnerability/317f6cb7-774f-4381-a855-858c051aa1d5/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| October 10, 2024 | Plugin testing and vulnerability detection in the Form Maker by 10Web have been completed |
| October 10, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| December 17, 2024 | Registered CVE-2024-10562 |
Discovery of the Vulnerability
The vulnerability was discovered during a security audit of the Form Maker plugin. The issue lies in the plugin’s “Form Header” section, specifically in the “Image” field. When a user injects a malicious payload into this field, the input is not properly sanitized before being saved in the WordPress database. As a result, when the form is rendered on the frontend, the injected JavaScript is executed, leading to potential session hijacking or account takeover. The flaw exists because the plugin does not properly validate user input in certain fields, allowing malicious code to be injected by users with minimal privileges, such as editors.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) vulnerabilities occur when an attacker is able to inject malicious JavaScript into web pages, which are then executed in the browsers of users who view the page. These attacks can lead to various malicious actions, including session hijacking, credential theft, and privilege escalation. XSS vulnerabilities are particularly dangerous in WordPress because many plugins and themes allow users to input dynamic content, which can be manipulated to inject malicious scripts. A real-world example of an XSS vulnerability in WordPress occurred in the WPForms plugin, where attackers could inject JavaScript into form fields, leading to session hijacking. Similarly, CVE-2024-10562 exploits improper input sanitization in Form Maker, allowing for malicious script injection and the execution of arbitrary JavaScript when the form is rendered.
Exploiting the XSS Vulnerability
To exploit CVE-2024-10562, an attacker with editor-level privileges:
POC:
Create a new form by Form Maker. You should change "Image" field in "Form Header" section to "Malicious JS code eval() and etc. For example 123" onmouseover=alert(1)// -> Save Settings (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)____
The potential risks associated with CVE-2024-10562 are substantial. If exploited, this vulnerability could allow an attacker to hijack an administrator’s session or escalate their privileges to gain full control over the WordPress site. Once the attacker has admin access, they can modify content, install malicious plugins, steal sensitive data, or deface the site. For websites dealing with sensitive information, such as e-commerce or membership sites, the impact of this vulnerability could be catastrophic. It could lead to data breaches, financial losses, and reputational damage. Furthermore, an attacker could use the backdoor created through this vulnerability to maintain persistent access to the site, even if the administrator changes their password. This could also be used as a springboard for further attacks on other systems connected to the compromised WordPress site.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-10562, administrators should update Form Maker to the latest version as soon as a patch is available. Additionally, administrators should ensure that all user inputs, particularly those in fields like the “Image” field in the “Form Header” section, are properly sanitized and validated before being saved and rendered. It is also recommended to disable the unfiltered_html capability for non-admin users to prevent them from injecting JavaScript into plugin settings. Implementing Content Security Policies (CSP) can help reduce the risk of XSS attacks by blocking the execution of untrusted scripts. Regular security audits and using security plugins that detect XSS vulnerabilities should be part of the site’s overall security strategy. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-10562, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
