Login Sign Up

CVE-2024-34437

5.9 MEDIUM
Cross-Site Scripting

📋 TL;DR

This stored cross-site scripting (XSS) vulnerability in the Form Maker by 10Web WordPress plugin allows attackers to inject malicious scripts into web forms. When users view or submit affected forms, the scripts execute in their browsers, potentially stealing credentials or session cookies. All WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:
  • Form Maker by 10Web WordPress plugin
Versions: All versions up to and including 1.15.24
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Affects WordPress installations with the vulnerable plugin activated. No special configuration required.

📦 What is this software?

Form Maker by 10web

View all CVEs affecting Form Maker →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, take over WordPress sites, deface websites, or redirect visitors to malicious sites, potentially leading to complete site compromise and data theft.

🟠

Likely Case

Attackers steal user session cookies or credentials, perform actions on behalf of authenticated users, or deface specific pages containing the vulnerable forms.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts are neutralized before execution, preventing any exploitation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Stored XSS vulnerabilities are commonly exploited. While no public PoC is confirmed, the vulnerability type suggests weaponization is likely.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.15.25 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/form-maker/wordpress-form-maker-by-10web-plugin-1-15-24-cross-site-scripting-xss-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Form Maker by 10Web'. 4. Click 'Update Now' if available, or manually update via FTP. 5. Verify version is 1.15.25 or higher.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily deactivate the Form Maker plugin until patched

Content Security Policy

all

Implement strict CSP headers to mitigate XSS impact

Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Add to wp-config.php: header("Content-Security-Policy: default-src 'self'; script-src 'self'");

🧯 If You Can't Patch

  • Remove or disable the Form Maker plugin entirely
  • Implement web application firewall (WAF) rules to block XSS payloads

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin > Plugins > Form Maker by 10Web version. If version is 1.15.24 or lower, you are vulnerable.

Check Version:

wp plugin list --name="form-maker" --field=version (if WP-CLI installed)

Verify Fix Applied:

After update, confirm version is 1.15.25 or higher in WordPress plugins list.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to form submission endpoints
  • Suspicious script tags in form data logs
  • Multiple failed login attempts after form submissions

Network Indicators:

  • Outbound connections to unknown domains after form submissions
  • Unexpected redirects from form pages

SIEM Query:

source="wordpress.log" AND ("form-maker" OR "form_maker") AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")

📊 Metadata

CVE ID: CVE-2024-34437
CVSS v3 Score: 5.9 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
CWE: CWE-79
Published: May 14, 2024
Last Updated: March 6, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-34437, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)