Form Maker by 10Web is a popular WordPress plugin designed to simplify the process of creating and managing forms. With over 50,000 active installations, it provides a versatile and user-friendly interface for adding various types of forms to WordPress websites. However, a critical vulnerability, CVE-2024-10680, has been discovered in the plugin that allows attackers to exploit stored Cross-Site Scripting (XSS). This vulnerability enables attackers to inject malicious scripts, potentially giving them access to admin accounts and creating backdoors in the system.
| CVE | CVE-2024-10680 |
| Form Maker by 10Web < 1.15.32 | |
| Critical | High |
| All Time | 4 630 195 |
| Active installations | 50 000+ |
| Publicly Published | April 22, 2025 |
| Last Updated | April 22, 2025 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10680 https://wpscan.com/vulnerability/240948d7-ece0-437f-b926-62937bdbd9db/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| October 15, 2024 | Plugin testing and vulnerability detection in the Form Maker by 10Web have been completed |
| October 15, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| April 22, 2025 | Registered CVE-2024-10680 |
Discovery of the Vulnerability
The vulnerability was discovered during a routine security test of the Form Maker plugin. It was found that the plugin fails to properly sanitize user input in the HTML field, particularly the “Image” field within the HTML section. When users can add custom HTML code to their forms without proper input sanitization, they are vulnerable to the injection of malicious JavaScript. This flaw can be exploited by users with editor-level access, enabling them to escalate their privileges and potentially compromise the entire WordPress site.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is one of the most common and severe vulnerabilities in web applications. It allows attackers to inject malicious scripts into web pages viewed by other users. These scripts are then executed in the context of the victim’s browser, enabling attackers to steal session cookies, hijack user accounts, or escalate privileges. In WordPress, XSS vulnerabilities are especially problematic because they can be easily exploited by users with lower roles, like contributors or editors. Real-world examples include attackers using XSS to inject scripts that modify website content, steal user data, or launch phishing attacks. In the case of CVE-2024-10680, the attack allows for privilege escalation from editor-level users to admin-level users, posing a significant threat to the website’s security.
Exploiting the XSS Vulnerability
To exploit CVE-2024-10680, an attacker with editor+ privileges:
POC:
Create a new form by Form Maker. You should add here new field "HTML" and change "Image" field in "HTML" section to "Malicious JS code eval() and etc. For example <img src="x" onmouseover="alert(1)//" "=""> -> Save Settings (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)____
The risk posed by CVE-2024-10680 is significant, particularly for websites that rely on Form Maker for user-generated forms. If exploited, an attacker can gain full control over the website by hijacking the admin’s session or escalating privileges. In a real-world scenario, this could lead to the attacker modifying site settings, stealing sensitive data, injecting malware, or even defacing the website. E-commerce websites or platforms that handle sensitive user data would be particularly vulnerable, as attackers could use this vulnerability to gain access to customer information, payment details, and other confidential data. The backdoor created by the attacker could be used for long-term access, making it difficult to detect and remediate.
Recommendations for Improved Security
To mitigate the risk of CVE-2024-10680, users should immediately update the Form Maker plugin to the latest version, which includes a fix for this XSS vulnerability. Developers should ensure that all input fields in the plugin, especially those that accept HTML, are properly sanitized using WordPress’s built-in functions such as esc_html() or wp_kses(). Additionally, administrators should limit the roles of users who can access sensitive plugin settings and regularly audit their plugins for security vulnerabilities. Implementing a Content Security Policy (CSP) and using a Web Application Firewall (WAF) can also help to prevent malicious scripts from executing in the first place. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-10680, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.