Form Maker by 10Web is a popular WordPress plugin used to create forms and widgets for various purposes, such as contact forms, surveys, and user registration. The plugin is widely used by website administrators for its ease of use and flexibility. However, a critical vulnerability, CVE-2024-10558, has been discovered in the plugin, which allows attackers to inject malicious JavaScript into the “Title” field of a widget. This Stored Cross-Site Scripting (XSS) vulnerability can result in the execution of arbitrary JavaScript on the website, potentially leading to account takeover and the creation of backdoor access. The vulnerability can be exploited by any user with editor privileges or higher, posing a significant risk to WordPress websites using the plugin.
| CVE | CVE-2024-10558 |
| Plugin | Form Maker by 10Web < 1.15.30 |
| Critical | High |
| All Time | 4 909 444 |
| Active installations | 50 000+ |
| Publicly Published | March 11, 2025 |
| Last Updated | March 11, 2025 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10558 https://wpscan.com/vulnerability/7028db78-2870-48d5-b06b-480ac8be3655/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| October 9, 2024 | Plugin testing and vulnerability detection in the Form Maker by 10 Web have been completed |
| October 9, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| March 11, 2025 | Registered CVE-2024-10558 |
Discovery of the Vulnerability
CVE-2024-10558 was identified during a security review of the Form Maker plugin, specifically in the widget settings. The vulnerability exists due to the plugin’s failure to sanitize input properly in the “Title” field of the widget settings. This field is used to set the title of widgets created by the Form Maker plugin, but it does not properly validate or escape user input. As a result, an attacker can inject malicious JavaScript into the “Title” field, which is stored in the database and later executed when the widget is rendered on the website. This vulnerability is particularly dangerous because it can be exploited by users with any role, including editors, who typically have enough privileges to create and modify widgets.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is one of the most common vulnerabilities found in web applications, including WordPress plugins. XSS vulnerabilities allow attackers to inject malicious JavaScript into a website, which is then executed by the browser of unsuspecting visitors. These attacks can have serious consequences, such as session hijacking, stealing sensitive information, defacing websites, or installing malware. In WordPress, XSS vulnerabilities are often found in plugins that allow user input without proper sanitization. A well-known example of XSS exploitation occurred in the WPForms plugin, where attackers injected malicious scripts into form fields. Similarly, CVE-2024-10558 in Form Maker allows attackers to inject JavaScript into the widget’s “Title” field, leading to the execution of malicious code when the widget is displayed.
Exploiting the XSS Vulnerability
To exploit CVE-2024-10558, an attacker with editor+ privileges:
POC:
Create a new Widget Form Maker. You should change "Title" field to "Malicious JS code eval() and etc. Save Settings (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)____
The risks associated with CVE-2024-10558 are significant. If exploited, an attacker could gain full control of the WordPress site by executing JavaScript that steals session cookies or hijacks the user’s session. This could allow the attacker to perform unauthorized actions, such as modifying content, installing malicious plugins, or even taking over the administrator account. In a real-world scenario, an attacker could use this vulnerability to escalate privileges and create a backdoor admin account, giving them persistent access to the site. This is particularly concerning for websites that store sensitive user data, such as e-commerce platforms or membership sites. The exploitation of this vulnerability could lead to data breaches, financial losses, and reputational damage. Additionally, the attacker could use the backdoor to inject further malicious scripts or malware into the site.
Recommendations for Improved Security
To mitigate the risks posed by CVE-2024-10558, administrators should immediately update the Form Maker plugin to the latest version, once a patch is available. It is also essential to restrict the unfiltered_html capability for non-admin users, especially editors, to prevent them from injecting JavaScript into plugin settings. Proper input validation and sanitization should be implemented for all user input fields, including the “Title” field in the widget settings. WordPress developers should ensure that any input fields that affect frontend content are properly sanitized using functions like sanitize_text_field() and wp_kses(). Additionally, administrators should consider implementing Content Security Policies (CSP) to prevent the execution of unauthorized scripts and conduct regular security audits to identify and fix potential vulnerabilities. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-10558, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.