Login Sign Up

CVE-2024-43220

7.1 HIGH
Cross-Site Scripting

📋 TL;DR

This CVE describes a reflected cross-site scripting (XSS) vulnerability in the Form Maker by 10Web WordPress plugin. Attackers can inject malicious scripts via crafted input that gets reflected in web pages without proper sanitization. WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:
  • Form Maker by 10Web WordPress Plugin
Versions: All versions up to and including 1.15.26
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Affects WordPress installations with the vulnerable plugin enabled. No special configuration required.

📦 What is this software?

Form Maker by 10web

View all CVEs affecting Form Maker →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, perform actions as authenticated users, deface websites, or redirect users to malicious sites.

🟠

Likely Case

Attackers trick users into clicking malicious links that execute scripts in their browser, potentially stealing session data or performing limited unauthorized actions.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts would be neutralized before reaching users' browsers.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Reflected XSS typically requires user interaction (clicking malicious link) but is straightforward to exploit once the vulnerable parameter is identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.15.27 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/form-maker/wordpress-form-maker-by-10web-plugin-1-15-26-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Form Maker by 10Web'. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress repository and manually update.

🔧 Temporary Workarounds

Temporary Plugin Deactivation

all

Disable the vulnerable plugin until patched

wp plugin deactivate form-maker

Web Application Firewall (WAF)

all

Configure WAF rules to block XSS payloads targeting form parameters

🧯 If You Can't Patch

  • Implement Content Security Policy (CSP) headers to restrict script execution
  • Use browser security features like HttpOnly cookies and SameSite attributes

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Form Maker by 10Web version number

Check Version:

wp plugin get form-maker --field=version

Verify Fix Applied:

Verify plugin version is 1.15.27 or higher after update

📡 Detection & Monitoring

Log Indicators:

  • Unusual GET/POST requests containing script tags or JavaScript in form parameters
  • Multiple failed XSS attempts in web server logs

Network Indicators:

  • HTTP requests with suspicious parameters containing <script>, javascript:, or encoded payloads

SIEM Query:

source="web_server_logs" AND ("<script" OR "javascript:" OR "%3Cscript" OR "%22%3E%3Cscript") AND uri_path="*form-maker*"

📊 Metadata

CVE ID: CVE-2024-43220
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
CWE: CWE-79
Published: August 12, 2024
Last Updated: March 6, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-43220, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)