Form Maker by 10Web is a versatile WordPress plugin used to create and manage various forms, such as contact forms, surveys, and registration forms. However, a critical vulnerability, CVE-2024-13053, has been discovered in the plugin, which allows attackers to inject malicious JavaScript into the plugin’s settings. This vulnerability, a Stored Cross-Site Scripting (XSS) flaw, enables attackers with editor-level access to execute arbitrary JavaScript code. This could lead to session hijacking, privilege escalation, or the creation of backdoor admin accounts. With over 50,000 active installations, the vulnerability poses a significant risk to WordPress sites using Form Maker.
| CVE | CVE-2024-13053 |
| Plugin | Form Maker by 10Web < 1.15.33 |
| Critical | High |
| All Time | 2 835 944 |
| Active installations | 50 000+ |
| Publicly Published | January 17, 2025 |
| Last Updated | January 17, 2025 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13053/ https://wpscan.com/vulnerability/1c667a70-8b38-4854-8969-2971f9c2fe79/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| December 30, 2024 | Plugin testing and vulnerability detection in the Form Maker by 10Web have been completed |
| December 30, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| January 17, 2025 | Registered CVE-2024-13053 |
Discovery of the Vulnerability
The vulnerability was discovered during a routine security audit of the Form Maker plugin. The issue lies in the “Title” field of the plugin’s theme settings, which allows users to customize the title of their forms. This field, however, does not properly sanitize or validate user input, allowing an attacker to inject malicious JavaScript code. Once the settings are saved, the injected JavaScript is stored in the WordPress database and is executed when the “Title” field is hovered over on the frontend. The lack of input sanitization and validation in this field allows an attacker with editor-level privileges to exploit the vulnerability and execute malicious actions.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is one of the most prevalent vulnerabilities in web applications. It occurs when an attacker is able to inject malicious JavaScript into a website, which is executed by the browser of anyone who visits the page. XSS vulnerabilities are common in WordPress plugins, especially those that allow user-generated content or configurable settings. A real-world example of an XSS vulnerability in WordPress was found in the Contact Form 7 plugin, where attackers could inject JavaScript into form fields, potentially leading to data theft or session hijacking. Similarly, CVE-2024-13053 in Form Maker allows an attacker to inject JavaScript into the “Title” field, which can then be executed when a user interacts with the field on the frontend.
Exploiting the XSS Vulnerability
To exploit CVE-2024-13053, an attacker with editor-level privileges:
POC:
1) Edit any default theme 123/wordpress/wp-admin/admin.php?page=themes_fm&task=edit¤t_id=2 2) Change "Title" field to Malicious JS 3) To trigger XSS you shuld hover on input field of "Title" (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)____
The risks associated with CVE-2024-13053 are substantial. If exploited, the attacker could hijack the session of an admin user or escalate their privileges to gain full control of the WordPress site. Once the attacker gains admin access, they could modify site content, install malicious plugins, steal sensitive user data, or deface the site. In a real-world scenario, an attacker could create a backdoor admin account, ensuring persistent access to the site even after the vulnerability is patched. This is particularly concerning for websites that handle sensitive information, such as e-commerce platforms, membership sites, or sites with valuable user data. Exploitation of this vulnerability could lead to data breaches, financial losses, and significant reputational damage.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-13053, administrators should immediately update the Form Maker plugin to the latest patched version. Additionally, administrators should restrict the unfiltered_html capability for non-admin users, especially editors, to prevent them from injecting JavaScript into plugin settings. It is essential to properly sanitize and validate all user inputs, particularly in fields that affect the frontend display, such as the “Title” field. Implementing Content Security Policies (CSP) and performing regular security audits can help detect and block potential XSS vulnerabilities before they can be exploited. Limiting user permissions and reviewing user roles periodically can also help prevent privilege escalation attacks. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-13053, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
