Form Maker by 10Web is a widely used WordPress plugin that allows users to easily create and manage forms for a variety of purposes, such as contact forms, surveys, and registration forms. However, a critical Stored Cross-Site Scripting (XSS) vulnerability, CVE-2024-13605, has been discovered in the plugin. This vulnerability allows attackers with editor-level access to inject malicious JavaScript into the “Width” field in the theme settings. When this setting is saved, the malicious script is stored and executed in the browser of any user who hovers over the input field, potentially leading to account takeover and the creation of backdoor admin accounts. With over 50,000 active installations, this flaw poses a serious security risk to WordPress websites using Form Maker.
| CVE | CVE-2024-13605 |
| Plugin | Form Maker by 10Web < 1.15.33 |
| Critical | High |
| All Time | 4 955 234 |
| Active installations | 50 000+ |
| Publicly Published | January 17, 2025 |
| Last Updated | January 17, 2025 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13605/ https://wpscan.com/vulnerability/d5543b3b-1c28-481b-aba4-9a07d160e1f2/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| December 27, 2024 | Plugin testing and vulnerability detection in the Form Maker by 10Web have been completed |
| December 27, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| January 17, 2025 | Registered CVE-2024-13605 |
Discovery of the Vulnerability
The vulnerability was discovered during a security audit of Form Maker by 10Web, particularly in the theme settings. The issue is found in the “Width” field, which is part of the theme configuration for customizing form styles. The vulnerability arises from improper input sanitization, which allows users to inject JavaScript code into the field. Specifically, when the “Width” field is modified with malicious JavaScript, such as DELETED, the injected script is saved in the WordPress database. When an administrator or editor hovers over the field, the script is executed, potentially compromising the site. This flaw is particularly dangerous because it can be exploited by low-privileged users, such as editors, who should not typically have the ability to execute JavaScript.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is one of the most common and dangerous vulnerabilities in WordPress plugins. It occurs when an attacker injects malicious JavaScript into a website, which is then executed in the browser of anyone who views the affected page. XSS vulnerabilities are often found in plugins that allow user input without proper validation or sanitization. A real-world example of XSS in WordPress occurred in the WPForms plugin, where attackers could inject JavaScript into form fields, leading to session hijacking. CVE-2024-13605 in Form Maker follows a similar pattern, allowing an attacker to inject JavaScript into the “Width” field in theme settings, which is later executed on the frontend when an unsuspecting user hovers over the input field.
Exploiting the XSS Vulnerability
To exploit CVE-2024-13605, an attacker with editor-level privileges:
POC:
1) Edit any default theme 123/wordpress/wp-admin/admin.php?page=themes_fm&task=edit¤t_id=2 2) Change "Width" field to JS malicious payload 3) To trigger XSS you shuld hover on input field of "Width"____
The risks associated with CVE-2024-13605 are considerable. If exploited, an attacker could hijack the session of an administrator or another user with higher privileges, granting them full control over the WordPress site. Once the attacker gains admin access, they can modify content, install malicious plugins, steal sensitive data, or deface the site. In a real-world scenario, an attacker could use this vulnerability to create a backdoor admin account, allowing them to retain control of the site even after the vulnerability is patched. This is especially concerning for websites handling sensitive user information, such as e-commerce or membership sites, where exploitation of this vulnerability could lead to data breaches, financial losses, and reputational damage. Additionally, the attacker could install further malicious code or compromise other systems connected to the WordPress site.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-13605, administrators should immediately update the Form Maker plugin to the latest patched version once a fix is released. Administrators should also restrict the unfiltered_html capability for non-admin users, especially editors, to prevent JavaScript injection in plugin settings. Proper input sanitization and validation should be implemented for all user inputs, especially in fields that affect frontend content, such as the “Width” field. Implementing Content Security Policies (CSP) and performing regular security audits can help detect and block potential XSS vulnerabilities before they can be exploited. Limiting user permissions and reviewing user roles periodically can also help prevent privilege escalation attacks. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-13605, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
