Form Maker by 10Web is a popular WordPress plugin that allows users to create custom forms for their websites. With over 50,000 active installations, it’s used widely for collecting data, including user registrations, feedback, and other forms of submission. However, a critical vulnerability, CVE-2024-10560, has been discovered within the plugin. This stored Cross-Site Scripting (XSS) vulnerability allows attackers to inject and execute malicious JavaScript in a form’s description field. Once this script is executed, it enables attackers to gain control over the site by creating backdoors, potentially escalating privileges to admin-level access.
CVE | CVE-2024-10560 |
Plugin | Form Maker by 10Web < 1.15.30 |
Critical | High |
All Time | 4 911 796 |
Active installations | 50 000+ |
Publicly Published | March 11, 2025 |
Last Updated | March 11, 2025 |
Researcher | Dmitrii Ignatyev |
OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
PoC | Yes |
Exploit | No |
Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10560 https://wpscan.com/vulnerability/80298c89-544d-4894-a837-253f5f26cf42/ |
Plugin Security Certification by CleanTalk | ![]() |
Logo of the plugin | ![]() |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
October 8, 2024 | Plugin testing and vulnerability detection in the Form Maker by 10Web have been completed |
October 8, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
March 11, 2025 | Registered CVE-2024-10560 |
Discovery of the Vulnerability
The vulnerability in Form Maker by 10Web was discovered during security testing. Specifically, the issue was found in the “Description” field within the form settings. This field allows users to add descriptions to the forms, but the input is not properly sanitized or validated before being rendered on the page. Because the description is displayed on the front end of the site, an attacker can inject malicious JavaScript into this field, which will execute when the form is viewed. This vulnerability can be triggered by any user with editor-level permissions or higher, making it accessible to a wide range of attackers.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) vulnerabilities occur when an attacker is able to inject malicious scripts into web pages that are then executed by the browsers of users who view those pages. In WordPress, XSS vulnerabilities are often exploited in plugins that display user-input data without proper sanitization. For example, in previous incidents, XSS vulnerabilities in the WPForms plugin allowed attackers to execute malicious JavaScript when forms were viewed by administrators, leading to session hijacking and unauthorized access. Similarly, CVE-2024-10560 in Form Maker enables attackers to inject JavaScript into the form’s description field, which could allow them to escalate privileges or create backdoors.
Exploiting the XSS Vulnerability
To exploit CVE-2024-10560, an attacker with editor+ privileges:
POC:
Create a new Slider by 10WEB widget. You should change "Title" field to "Malicious JS code eval() and etc. For example 123"onmouseover=alert(11251)// -> Save Settings (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)
____
The risk posed by CVE-2024-10560 is significant, particularly for websites that handle sensitive data or use forms for critical functionality. In a real-world scenario, an attacker could use this vulnerability to escalate from a low-level user role, such as a contributor or editor, to full administrator access. Once the attacker gains admin privileges, they can perform a variety of malicious actions, including installing malware, modifying content, deleting data, or accessing sensitive user information. For example, an attacker could inject scripts that steal session cookies or create backdoors that persist even after the site appears to be fixed. This type of attack could be especially devastating for e-commerce sites, membership platforms, or sites with user-generated content, as it could lead to data breaches, defacement, or loss of control over the website.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-10560, it is crucial for users of the Form Maker by 10Web plugin to update to the latest patched version as soon as one becomes available. Additionally, plugin developers should implement proper input sanitization for all fields that render user input, especially those that display on the front end. WordPress functions such as esc_html()
, wp_kses()
, and sanitize_text_field()
should be used to strip out malicious code from user input. Site administrators should also restrict access to form creation and editing settings to trusted roles, ensuring that only admins or users with specific permissions can modify critical form settings. Finally, implementing a Web Application Firewall (WAF) and performing regular security audits can help detect and block XSS attacks before they can be exploited. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-10560, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.