Form Maker by 10Web Vulnerability – Mobile-Friendly Drag & Drop Contact Form Builder – Authenticated Stored Self-Based Cross-Site Scripting – CVE-2024-2258 | WordPress Plugin Vulnerability Report 

Plugin Name: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder

Key Information:

  • Software Type: Plugin
  • Software Slug: form-maker
  • Software Status: Active
  • Software Author: 10web
  • Software Downloads: 4,737,462
  • Active Installs: 50,000
  • Last Updated: May 13, 2024
  • Patched Versions: 1.15.25
  • Affected Versions: 1.15.24

Vulnerability Details:

  • Name: Form Maker by 10Web <= 1.15.24
  • Title: Authenticated (Subscriber+) Stored Self-Based Cross-Site Scripting
  • Type: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-2258
  • CVSS Score: 4.4
  • Publicly Published: April 26, 2024
  • Researcher: stealthcopter
  • Description: The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a user's display name autofilled into forms in all versions up to, and including, 1.15.24. Insufficient input sanitization and output escaping allow authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts into pages. These scripts will execute whenever a user accesses an injected page.


The Form Maker by 10Web plugin for WordPress has a vulnerability in versions up to and including 1.15.24 that allows for stored cross-site scripting via autofill fields such as a user’s display name. This security flaw has been corrected in the recently released patch version 1.15.25.

Detailed Overview:

Discovered by the security researcher known as stealthcopter, this vulnerability specifically impacts the plugin's handling of display names in form fields. Because these fields are not properly sanitized, attackers can embed malicious scripts, which are then saved within the form data. When other users view these forms, the malicious scripts execute, potentially leading to unauthorized actions being performed on behalf of the user or data being stolen directly from the user's session. The plugin developers have addressed these concerns in version 1.15.25 by implementing proper sanitization and escaping mechanisms.

Advice for Users:

  • Immediate Action: Update to version 1.15.25 immediately to mitigate this vulnerability.
  • Check for Signs of Vulnerability: Review form submissions for unusual content that could indicate script injection.
  • Alternate Plugins: While the latest version is secure, consider exploring alternative contact form plugins that maintain robust security practices if desired.
  • Stay Updated: Regularly ensure that your plugins, themes, and core WordPress installation are updated to the latest versions.


The rapid response by 10web to patch this vulnerability in the Form Maker plugin highlights the necessity of quick action in the digital security arena. Users of the plugin are strongly advised to upgrade to the patched version to prevent exploitation by attackers and to secure their WordPress installations against potential threats.


Detailed Report: 

In the digital world, maintaining the security of your website is as crucial as locking the doors to your physical business at night. Recently, a significant security vulnerability was identified in the widely-used Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin, affecting over 50,000 WordPress sites. This vulnerability, known as CVE-2024-2258, exposes sites to stored cross-site scripting attacks through seemingly benign user display names autofilled in forms. With versions up to and including 1.15.24 vulnerable, this issue highlights the essential practice of regular software updates as a defense against potential threats. This post aims to dissect the vulnerability, discuss its implications, and provide actionable advice to secure your website—an indispensable resource for anyone concerned about safeguarding their online presence.

Risks and Potential Impacts:

The risks associated with this vulnerability include unauthorized access to user data, manipulation of website content, and the potential for escalating privileges within the WordPress environment. For small business owners, such exploits could lead to serious breaches of customer trust, legal consequences, and financial losses due to compromised personal and financial information.

How to Remediate the Vulnerability:

  • Immediate Action: Users should immediately update to version 1.15.25, which addresses this security flaw.
  • Check for Signs of Vulnerability: Administrators should review form submissions and user profiles for unusual entries that could indicate exploitation.
  • Regular Updates: Ensure that all software on your WordPress site is kept up-to-date, including plugins, themes, and the WordPress core itself.
  • Security Best Practices: Implement additional security measures such as regular audits, use of security plugins, and training for users on safe practices.

Overview of Previous Vulnerabilities:

Since its inception, Form Maker by 10Web has encountered 16 other vulnerabilities, signaling a pattern that necessitates vigilant updates and monitoring by its users. Each of these incidents has provided critical lessons in the importance of securing interactive elements on websites that collect user data.


The rapid response by the developers of Form Maker to address CVE-2024-2258 highlights the ongoing challenge and necessity of maintaining strong cybersecurity defenses. For small business owners, staying proactive in updating and securing your WordPress site is not merely a technical requirement but a fundamental aspect of protecting your business and maintaining trust with your customers. In the digital age, staying ahead of vulnerabilities can keep you from falling behind in business security.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Form Maker by 10Web Vulnerability – Mobile-Friendly Drag & Drop Contact Form Builder – Authenticated Stored Self-Based Cross-Site Scripting – CVE-2024-2258 | WordPress Plugin Vulnerability Report FAQs

What is cross-site scripting (XSS)?

Cross-site scripting, or XSS, is a security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. These scripts can be used to steal information, such as cookies or personal data, directly from the browsers of users visiting the infected site. Stored XSS, like the one found in Form Maker by 10Web, means the malicious script is saved on the server and executed every time the infected page is accessed.

Leave a Comment