First published: Mon Aug 16 2021(Updated: )
The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder WordPress plugin before 1.13.60 does not escape its Form Title before outputting it in an attribute when editing a form in the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue
Credit: contact@wpscan.com
Affected Software | Affected Version | How to fix |
---|---|---|
10web Form Maker | <1.13.60 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-24526 is a vulnerability in the Form Maker by 10Web WordPress plugin that allows an authenticated user to execute arbitrary JavaScript code.
CVE-2021-24526 occurs because the plugin does not properly sanitize the Form Title before displaying it in an attribute, allowing an attacker to inject malicious code.
CVE-2021-24526 has a severity rating of medium with a CVSS score of 5.4.
To fix CVE-2021-24526, you should update the Form Maker by 10Web plugin to version 1.13.60 or higher.
Yes, you can find more information about CVE-2021-24526 at the following reference: https://wpscan.com/vulnerability/17287d8a-ba27-42dc-9370-a931ef404995