Form Maker by 10Web Vulnerability– Mobile-Friendly Drag & Drop Contact Form Builder – Cross-Site Request Forgery to Limited Code Execution via Execute – CVE-2024-0667 |WordPress Plugin Vulnerability Report
Plugin Name: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
Key Information:
- Software Type: Plugin
- Software Slug: form-maker
- Software Status: Active
- Software Author: 10web
- Software Downloads: 4,670,950
- Active Installs: 60,000
- Last Updated: February 1, 2024
- Patched Versions: 1.15.22
- Affected Versions: <= 1.15.21
Vulnerability Details:
- Name: Form-Maker (twb_form-maker) <= 1.15.21
- Title: Cross-Site Request Forgery to Limited Code Execution via Execute
- Type: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
- CVE: CVE-2024-0667
- CVSS Score: 5.4
- Publicly Published: January 26, 2024
- Researcher: SudoBash
- Description: The Form Maker plugin is vulnerable to Cross-Site Request Forgery (CSRF), allowing unauthenticated attackers to execute arbitrary methods within the 'BoosterController' class through a forged request. This vulnerability is attributed to insufficient nonce validation in the plugin's 'execute' function and could potentially be exploited if an attacker convinces a site administrator to click on a malicious link.
Summary:
Form Maker by 10Web, a widely-used plugin for creating various forms on WordPress sites, has been found to contain a significant vulnerability in versions up to and including 1.15.21. This security flaw enables CSRF attacks that could lead to limited code execution, posing a risk to site integrity and security. The vulnerability has been addressed in the updated version 1.15.22.
Detailed Overview:
Discovered by the cybersecurity researcher SudoBash, this vulnerability underscores the critical nature of nonce validation within WordPress plugins to prevent CSRF attacks. The specific flaw in Form Maker's 'execute' function could allow attackers to carry out actions on behalf of the site administrator without their knowledge, leading to potential unauthorized changes or malicious activities on the site.
Advice for Users:
- Immediate Action: Users of the Form Maker plugin are strongly encouraged to update to version 1.15.22, which includes a fix for this vulnerability. Delaying this update could leave your site vulnerable to CSRF attacks and unauthorized code execution.
- Check for Signs of Vulnerability: Site administrators should review their site's forms and recent activities for any unusual or unauthorized changes that may indicate exploitation of this vulnerability.
- Alternate Plugins: While the patched version is deemed secure, exploring alternative contact form plugins with robust security features may provide an added layer of confidence and protection against future vulnerabilities.
- Stay Updated: Ensuring that all WordPress components, including plugins, themes, and the core software, are kept up-to-date is essential for maintaining a secure online presence and protecting against known vulnerabilities.
Conclusion:
The prompt identification and patching of CVE-2024-0667 within the Form Maker plugin by 10Web highlight the ongoing challenges and importance of cybersecurity vigilance in the WordPress ecosystem. This incident serves as a reminder to all WordPress site owners and administrators of the critical need for regular updates and adherence to best security practices. By taking proactive steps to secure your site, including updating to the latest version of Form Maker, you can help safeguard your digital assets and ensure a secure environment for your users.
References:
In today's digital landscape, where websites serve as the cornerstone of many small businesses, the security of WordPress plugins is more critical than ever. The recent discovery of a vulnerability in the widely used "Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder" plugin, identified as CVE-2024-0667, has cast a spotlight on the ongoing battle against digital threats. This vulnerability not only underscores the importance of regular software updates but also serves as a reminder of the potential risks that outdated plugins can pose to website integrity and user security.
About the Plugin: Form Maker by 10Web
Form Maker by 10Web is a popular WordPress plugin that empowers users to easily create and manage various forms on their websites, from simple contact forms to complex surveys and quizzes. Boasting over 60,000 active installations and more than 4.6 million downloads, its significance within the WordPress community is undeniable.
Vulnerability Details: Cross-Site Request Forgery to Limited Code Execution
CVE-2024-0667 highlights a critical flaw in Form Maker versions up to 1.15.21, where insufficient nonce validation in the plugin's 'execute' function could allow attackers to perform Cross-Site Request Forgery (CSRF) attacks. This vulnerability potentially enables unauthenticated attackers to execute arbitrary methods within the 'BoosterController' class, posing a risk of limited code execution through forged requests if an attacker deceives a site administrator into clicking on a malicious link.
Risks and Potential Impacts
The exploitation of this vulnerability could lead to unauthorized changes or malicious activities on affected WordPress sites. Such actions could compromise the functionality of the site, leak sensitive information, or even disrupt the site's operations, affecting both the site's reputation and the trust of its users.
Remediation and User Advice
To mitigate the risks associated with CVE-2024-0667, users of the Form Maker plugin are urged to update to the patched version 1.15.22 immediately. Additionally, site administrators should remain vigilant for any unusual activity or unauthorized changes on their sites, which could indicate exploitation of this vulnerability. Exploring alternative form builder plugins with robust security features can also provide an added layer of protection.
Historical Context
With 13 previous vulnerabilities reported since April 27, 2018, the Form Maker plugin's security history underscores the importance of continuous vigilance and timely updates in maintaining website security.
Conclusion: The Imperative of Cybersecurity Vigilance
For small business owners, the task of staying updated on every security vulnerability may seem daunting amidst the myriad responsibilities of running a business. However, the case of CVE-2024-0667 in the Form Maker plugin by 10Web highlights the critical need for proactive security measures. Regularly updating plugins, themes, and WordPress core, alongside employing best security practices, is essential in safeguarding your digital assets against emerging threats. In the ever-evolving landscape of cybersecurity, staying informed and responsive is key to ensuring the security and reliability of your WordPress site.
Staying Secure
Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.
Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.
Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.