CVE-2024-11223 – This vulnerability in the WPForms WordPress plu... (How to Fix)

Q: What is the severity of CVE-2024-11223?

CVE-2024-11223 has a CVSS score of 4.7 (MEDIUM). This vulnerability in the WPForms WordPress plugin allows administrators to inject malicious scripts into plugin settings, which then execute in other users' browsers. It affects WordPress sites using WPForms versions before 1.9.2.3, particularly in multisite configurations where unfiltered_html is restricted.

📋 TL;DR

This vulnerability in the WPForms WordPress plugin allows administrators to inject malicious scripts into plugin settings, which then execute in other users' browsers. It affects WordPress sites using WPForms versions before 1.9.2.3, particularly in multisite configurations where unfiltered_html is restricted.

💻 Affected Systems

Products:

WPForms WordPress Plugin

Versions: All versions before 1.9.2.3

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires administrator or high-privilege user access; particularly relevant in WordPress multisite setups.

📦 What is this software?

Wpforms by Wpforms

View all CVEs affecting Wpforms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrator account compromise leads to site takeover, data theft, or malware distribution to visitors.

🟠

Likely Case

Privileged user injects malicious scripts that steal session cookies or redirect users to phishing sites.

🟢

If Mitigated

Limited to authenticated administrators, with minimal impact if proper user access controls are enforced.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires administrative privileges; no public exploit code identified at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.9.2.3

Vendor Advisory: https://wpscan.com/vulnerability/82989909-9745-4c9a-abc7-c1adf8c2b047/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WPForms and click 'Update Now'. 4. Verify version is 1.9.2.3 or later.

🔧 Temporary Workarounds

Restrict Administrator Access

all

Limit administrative accounts to trusted users only and implement principle of least privilege.

Disable WPForms Temporarily

linux

Deactivate the plugin until patching is possible if immediate risk is unacceptable.

wp plugin deactivate wpforms-lite

🧯 If You Can't Patch

Implement strict access controls for administrative accounts and monitor for suspicious activity.
Use web application firewall (WAF) rules to block XSS payloads in plugin settings.

🔍 How to Verify

Check if Vulnerable:

Check WPForms plugin version in WordPress admin under Plugins > Installed Plugins.

Check Version:

wp plugin get wpforms-lite --field=version

Verify Fix Applied:

Confirm WPForms version is 1.9.2.3 or higher after update.

📡 Detection & Monitoring

Log Indicators:

Unusual modifications to WPForms settings by administrative users
JavaScript payloads in plugin configuration logs

Network Indicators:

Unexpected script tags loading from WPForms-related endpoints

SIEM Query:

source="wordpress.log" AND "wpforms" AND ("update" OR "settings") AND ("script" OR "javascript")

📊 Metadata

CVE ID: CVE-2024-11223

CVSS v3 Score: 4.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-79

Published: December 26, 2024

Last Updated: May 8, 2025

🔗 References

https://wpscan.com/vulnerability/82989909-9745-4c9a-abc7-c1adf8c2b047/ Exploit,Third Party Advisory
https://wpscan.com/vulnerability/82989909-9745-4c9a-abc7-c1adf8c2b047/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-11223, you might also want to check these: