Form Maker by 10Web is a widely used plugin for creating and managing forms in WordPress. However, a critical vulnerability, CVE-2024-10562, has been discovered in the plugin that allows for Stored Cross-Site Scripting (XSS) attacks. This flaw enables attackers with editor-level privileges to inject malicious JavaScript code into form settings, which is stored and executed when the form is rendered. The injected script can create a backdoor, allowing attackers to escalate their privileges and potentially gain full control over the site. With over 50,000 active installations, this vulnerability poses a significant security risk for WordPress websites using Form Maker by 10Web.
CVE-2024-10562 – Form Maker by 10Web – Stored XSS to JS Backdoor Creation – POC
