Form Maker by 10Web Vulnerability – Authenticated (Administrator+) Stored Cross-Site Scripting – CVE-2024-34437 | WordPress Plugin Vulnerability Report

Plugin Name: Form Maker by 10Web

Key Information:

  • Software Type: Plugin
  • Software Slug: form-maker
  • Software Status: Active
  • Software Author: 10web
  • Software Downloads: 4,739,339
  • Active Installs: 50,000
  • Last Updated: May 7, 2024
  • Patched Versions: 1.15.25
  • Affected Versions: <= 1.15.24

Vulnerability Details:

  • Name: Form Maker by 10Web <= 1.15.24 - Authenticated (Administrator+) Stored Cross-Site Scripting
  • Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CVE: CVE-2024-34437
  • CVSS Score: 4.4 (Medium)
  • Publicly Published: May 7, 2024
  • Researcher: Huynh Tien Si
  • Description: The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.15.24 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Summary:

The Form Maker by 10Web plugin for WordPress has a vulnerability in versions up to and including 1.15.24 that allows authenticated attackers with administrator-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, due to insufficient input sanitization and output escaping. This vulnerability has been patched in version 1.15.25.

Detailed Overview:

Huynh Tien Si discovered a Stored Cross-Site Scripting vulnerability in the Form Maker by 10Web plugin for WordPress. The vulnerability exists in the admin settings of the plugin in all versions up to, and including, 1.15.24. Due to insufficient input sanitization and output escaping, authenticated attackers with administrator-level permissions and above can inject arbitrary web scripts that will execute whenever a user accesses an injected page. This vulnerability only affects multi-site installations and installations where unfiltered_html has been disabled. Successful exploitation of this vulnerability could lead to the compromise of the WordPress site and potentially the server.

Advice for Users:

  1. Immediate Action: Users should update the Form Maker by 10Web plugin to version 1.15.25 or later to patch this vulnerability.
  2. Check for Signs of Vulnerability: Check your WordPress site for any suspicious or unexpected scripts that may have been injected.
  3. Alternate Plugins: While a patch is available, users might still consider plugins that offer similar functionality as a precaution.
  4. Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities.

The prompt response from the Form Maker by 10Web plugin developers to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 1.15.25 or later to secure their WordPress installations.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/form-maker

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/form-maker/form-maker-by-10web-11524-authenticated-administrator-stored-cross-site-scripting

Detailed Report:

In the ever-evolving digital landscape, website security is paramount. As a website owner, it's your responsibility to ensure that your site is protected from potential threats and vulnerabilities. One of the most critical aspects of maintaining a secure website is keeping your WordPress plugins up to date. In this blog post, we'll discuss the recent vulnerability discovered in the Form Maker by 10Web plugin and the importance of regularly updating your plugins to mitigate security risks.

The Form Maker by 10Web Plugin

The Form Maker by 10Web plugin is a popular choice for creating mobile-friendly contact forms in WordPress. It has been downloaded over 4.7 million times and has an active installation base of 50,000 sites. The plugin is developed by 10web and was last updated on May 7, 2024.

The Vulnerability: CVE-2024-34437

A serious vulnerability was discovered in the Form Maker by 10Web plugin, affecting all versions up to and including 1.15.24. The vulnerability, identified as CVE-2024-34437, allows authenticated attackers with administrator-level permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability is due to insufficient input sanitization and output escaping and only affects multi-site installations and installations where unfiltered_html has been disabled.

Risks and Potential Impacts

If left unpatched, this vulnerability could lead to the compromise of your WordPress site and potentially your server. Attackers could exploit this vulnerability to inject malicious code, steal sensitive information, or deface your website. This is particularly concerning for businesses that rely on their online presence to engage with customers and generate revenue.

Remediating the Vulnerability

To protect your website from this vulnerability, it is crucial to update the Form Maker by 10Web plugin to version 1.15.25 or later, which includes a patch for this vulnerability. If you're unsure about how to update your plugins or concerned about the security of your website, don't hesitate to reach out to a professional web development or security company for assistance.

Previous Vulnerabilities

It's important to note that this is not the first vulnerability discovered in the Form Maker by 10Web plugin. Since April 2018, there have been 17 previous vulnerabilities reported. This underscores the importance of regularly monitoring and updating your WordPress plugins to ensure the security of your website.

The Importance of Staying on Top of Security Vulnerabilities

As a small business owner, you may not have the time or resources to stay on top of every security vulnerability that arises. However, the consequences of neglecting website security can be severe, ranging from data breaches to loss of customer trust and revenue. By partnering with a reliable web development or security company, you can ensure that your website remains secure and protected from the latest threats, allowing you to focus on running your business.

At [Your Company Name], we understand the challenges faced by small business owners and are committed to providing the support and expertise needed to keep your website secure. Contact us today to learn more about our website security services and how we can help you protect your online presence.

As a business owner, you don't have time to constantly monitor for WordPress vulnerabilities like this. At Your WP Guy, we become your outsourced IT team to handle security, updates, maintenance and support. Let us fully audit your site and plugins to assess any impact from this issue. We'll update everything to patched versions so you can rest easy knowing your site is locked down.

Focus on your business goals while we focus on your WordPress site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 for a free consultation on securing your online presence.

Form Maker by 10Web Vulnerability - Authenticated (Administrator+) Stored Cross-Site Scripting - CVE-2024-34437 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment