Lead Form Builder is a popular WordPress plugin designed to create and manage contact forms. It offers an easy-to-use drag-and-drop interface and integration with page builders like Elementor, Brizy, SiteOrigin, and Gutenberg. However, a security vulnerability (CVE-2024-10475) was discovered in versions prior to 1.9.8, which allows attackers to inject and execute malicious JavaScript code through Stored Cross-Site Scripting (XSS). This article explores the vulnerability, its risks, exploitation, and best practices to mitigate the issue.
| CVE | CVE-2024-10475 |
| Plugin | Lead Form Builder < 1.9.8 |
| Critical | High |
| All Time | 782 415 |
| Active installations | 10 000+ |
| Publicly Published | March 12, 2025 |
| Last Updated | March 12, 2025 |
| Researcher | Artyom Krugov |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10475 https://wpscan.com/vulnerability/faca59fb-6b59-45b0-8b97-c4125d9d3cb3/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| October 23, 2025 | Plugin testing and vulnerability detection in the Lead Form Builder have been completed |
| October 23, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| March 12, 2025 | Registered CVE-2024-10475 |
Discovery of the Vulnerability
Security researchers identified that the Lead Form Builder plugin fails to properly sanitize user input in the “Submit” button field within the form builder. The vulnerability allows an attacker to inject JavaScript code, which is then stored in the WordPress database and executed when an administrator or visitor interacts with the form on the website.
Understanding of XSS attack’s
Stored XSS occurs when a web application permanently stores user-supplied input and later serves it to other users without proper sanitization. In the case of the Lead Form Builder plugin, an attacker can inject JavaScript payloads, which execute whenever a user interacts with the form, potentially leading to session hijacking, data theft, or administrator account compromise.
Exploiting the XSS Vulnerability
The exploitation of this vulnerability is straightforward due to the lack of proper input validation and output escaping. Attackers can:
POC:
1) Inject JavaScript payloads via form fields. 2) Target website administrators and logged-in users with privileged access. 3) Steal session cookies, redirect users, or perform actions on behalf of other users. 4) Modify the website’s content, insert phishing forms, or distribute malware____
Stored XSS occurs when a web application permanently stores user-supplied input and later serves it to other users without proper sanitization. In the case of the Lead Form Builder plugin, an attacker can inject JavaScript payloads, which execute whenever a user interacts with the form, potentially leading to session hijacking, data theft, or administrator account compromise.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-10475, website administrators should take the following steps:
- Update the Plugin: Ensure that you are running Lead Form Builder version 1.9.8 or later, as the issue has been addressed in recent patches.
- Sanitize User Input: Developers should implement proper input validation and output encoding to prevent script injections.
- Use Security Plugins: Install WordPress security plugins like Wordfence or Sucuri to detect and block malicious scripts.
- Apply Content Security Policy (CSP): Restrict inline script execution to minimize XSS attacks.
- Educate Users and Admins: Website administrators should be aware of the risks and avoid interacting with suspicious forms or elements.
- Regular Security Audits: Conduct periodic security assessments to identify and fix vulnerabilities before attackers can exploit them.
To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-10475, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Artyom k.