Form Maker by 10Web is a popular WordPress plugin that enables site owners to build custom forms with drag-and-drop ease. Boasting over 50,000 active installations, it powers everything from simple contact forms to complex multi-step surveys. Despite its robust feature set, including advanced validation and styling options, the plugin contains a critical security flaw—CVE-2024-6130—that allows an editor to inject malicious JavaScript via the form field “classname” attribute. Once stored, this payload executes whenever the form is rendered, enabling account takeover, backdoor installation, and broader site compromise.
CVE | CVE-2024-6130 |
Form Maker by 10Web < 1.15.26 | |
Critical | High |
All Time | 4 937 661 |
Active installations | 50 000+ |
Publicly Published | May 30, 2025 |
Last Updated | May 30, 2025 |
Researcher | Dmitrii Ignatyev |
OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
PoC | Yes |
Exploit | No |
Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6130 https://wpscan.com/vulnerability/bbed2968-4bd6-49ae-bd61-8a1f751e7041/ |
Plugin Security Certification by CleanTalk | ![]() |
Logo of the plugin | ![]() |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
February 18, 2025 | Plugin testing and vulnerability detection in the Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder have been completed |
February 18, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
May 30, 2025 | Registered CVE-2024-6130 |
Discovery of the Vulnerability
The vulnerability was uncovered during a comprehensive security review of Form Maker’s settings interface. Researchers observed that the “classname” field for individual form inputs accepted raw user input without proper sanitization or validation. By entering a crafted payload containing an SVG tag with an onload
event—such as "><svg src=x onload=alert(1)>
—the editor could trigger a stored XSS attack. The plugin stored this malicious content in the database and later rendered it directly into the form’s HTML output, demonstrating a clear failure to escape or strip dangerous characters.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is one of the most prevalent vulnerabilities in web applications, particularly in content management systems like WordPress. Stored XSS arises when an attacker’s payload is saved on the server and subsequently served to all visitors of the affected page. WordPress attempts to mitigate this risk through capabilities such as unfiltered_html
, but in Form Maker’s case, even editor-level users retain the power to inject scripts via interface fields. Similar incidents have occurred in other form plugins, where malicious payloads hidden in field labels or CSS classes have led to admin cookie theft, creation of rogue user accounts, and injection of persistent backdoors.
Exploiting the XSS Vulnerability
To exploit CVE-2024-6130, an attacker with editor+ privileges:
POC:
- Open the plugin settings - Edit an existing form or create a new one - Click on the edit icon for any of the form fields - Change the classname field to something like ""><svg src=x onload=alert(1)>" and save - Verify that the payload is executed when the form is rendered.
____
The implications of CVE-2024-6130 are severe. By leveraging stored XSS, an attacker can hijack administrator sessions, install malicious plugins, or create persistent backdoors that survive plugin updates. On high-traffic or multi-author sites, an editor could compromise fellow administrators without detection. In e-commerce contexts, this might lead to payment fraud or customer data theft; on membership sites, credential harvesting and phishing vectors become trivial. The vulnerability essentially grants an attacker with minimal access the keys to the kingdom.
Recommendations for Improved Security
Patch Immediately: Update Form Maker to a version that properly sanitizes the “classname” and all other user-controllable fields.
Sanitize Inputs: Plugin developers must enforce strict sanitization using sanitize_text_field()
, esc_attr()
, or other WordPress helper functions to strip out HTML event handlers.
Escape Output: Always wrap dynamic attributes in esc_attr()
or wp_kses()
to neutralize embedded scripts.
Reduce Editor Privileges: Constrain unfiltered_html
capabilities to administrators and consider using role management plugins to harden editor permissions.
Implement CSP/WAF: Deploy a Content Security Policy to block inline scripts and a Web Application Firewall to detect XSS patterns in real time.
To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-6130, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.