24 matches found
CVE-2019-10866
The CVE-2019-10866 vulnerability affects WordPress Form Maker plugin prior to version 1.13.3. A SQL injection exists in the get_labels_parameters flow inside form-maker/admin/models/Submissions_fm.php, triggered by crafted values (notably via the asc_or_desc parameter in PoC scenarios). Documente...
CVE-2023-45070
CVE-2023-45070 affects WordPress Form Maker by 10Web (Mobile-Friendly Drag & Drop Contact Form Builder)
CVE-2023-4666
CVE-2023-4666 affects the Form Maker by 10Web WordPress plugin (before 1.15.20). The vulnerability arises because the plugin does not validate signatures when creating them on the server from user input, allowing unauthenticated users to upload arbitrary files and potentially achieve remote code ...
CVE-2022-1564
CVE-2022-1564 concerns the WordPress Form Maker by 10Web plugin (pre-1.14.12) where the Custom Text settings are not sanitized/escaped, enabling stored Cross-Site Scripting by high-privilege users (e.g., admins) when unfiltered_html is disallowed. Impact described in multiple sources includes an ...
CVE-2022-3300
CVE-2022-3300 affects the WordPress plugin “Form Maker by 10Web” prior to version 1.15.6. The root cause is improper sanitization/escaping of a parameter before it is used in a SQL statement, resulting in a SQL injection. Impact is described as exploitable by high-privilege users such as admins, ...
CVE-2024-2112
The CVE-2024-2112 entry concerns the WordPress plugin Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder, affected up to version 1.15.22. The vulnerability, described across sources (NVD/NVD-related, Red Hat, PatchStack), is Sensitive Information Exposure via the plugin’s sign...
CVE-2023-45071
The CVE CVE-2023-45071 affects the WordPress plugin Form Maker by 10Web (Mobile-Friendly Drag & Drop Contact Form Builder) 1.15.18, specifically fixed in 1.15.19, or apply vendor-supplied mitigations. Product references in connected docs confirm attack surface and patch status.
CVE-2024-2258
CVE-2024-2258 (Form Maker by 10Web, WordPress): Stored XSS vulnerability in forms via a user’s display name autofill. Affected versions are all until 1.15.24 due to insufficient input sanitization and output escaping. Exploitation requires subscriber-level access and above, enabling arbitrary scr...
CVE-2019-11590
The 10Web Form Maker plugin for WordPress is affected by CVE-2019-11590 (versions
CVE-2024-32534
CVE-2024-32534 affects Form Maker (WordPress plugin) by 10Web, with stored XSS due to improper input neutralization during web page generation. Public references confirm the issue and affected range (Form Maker by 10Web:
CVE-2024-10680
The CVE CVE-2024-10680 pertains to the Form Maker by 10Web WordPress plugin (versions before 1.15.32). The issue arises from inadequate sanitization/escaping of several plugin settings, enabling Stored Cross-Site Scripting (XSS) where a high-privilege user (e.g., an admin) can inject scripts even...
CVE-2024-13605
The CVE-2024-13605 entry concerns Form Maker by 10Web for WordPress, affecting versions prior to 1.15.33. It is a Stored XSS in certain settings due to insufficient sanitisation/escaping, which can be triggered by high-privilege users (e.g., admins) even when unfiltered_html is disallowed (e.g., ...
CVE-2023-48290
Form Maker by 10Web WordPress plugin
CVE-2021-24526
CVE-2021-24526 affects the WordPress plugin Form Maker (by 10Web) prior to version 1.13.60. The issue is an authenticated Stored XSS caused by not escaping the Form Title when outputting it in an HTML attribute while editing a form in the admin dashboard. Impact is limited to authenticated users ...
CVE-2024-43220
CVE-2024-43220 is a reflected XSS in the WordPress plugin “Form Maker by 10Web – Mobile-Friendly Drag & Drop Form Builder.” The vulnerability arises from improper input neutralization during web page generation, enabling a reflected XSS payload. Affected releases are Form Maker by 10Web up to 1.1...
CVE-2024-0667
The CVE concerns the WordPress plugin Form Maker by 10Web (Mobile-Friendly Drag & Drop Form Builder). A Cross-Site Request Forgery (CSRF) flaw exists in versions up to and including 1.15.21, caused by missing or incorrect nonce validation on the plugin’s execute function. This allows an unauthent...
CVE-2024-6130
The CVE-2024-6130 entry concerns The Form Maker by 10Web WordPress plugin prior to version 1.15.26, where certain settings are not properly sanitised/escaped. The Red Hat and CVE databases confirm this can enable Stored XSS by high-privilege users (e.g., admins), even when unfiltered_html is disa...
CVE-2024-10558
CVE-2024-10558 concerns the WordPress plugin Form Maker by 10Web. Multiple connected sources confirm a stored XSS risk in admin-level or high-privilege user settings due to incomplete sanitization/escaping of certain settings, potentially allowing an admin (or similarly privileged user) to execut...
CVE-2024-10560
CVE-2024-10560 affects the WordPress plugin Form Maker by 10Web, specifically versions before 1.15.30. The issue is a failure to sanitize/escape certain settings, enabling stored XSS by high-privilege users (e.g., admins) even when unfiltered_html is disallowed (such as in multisite setups). The ...
CVE-2024-10265
CVE-2024-10265 affects the Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder for WordPress. It enables a Reflected Cross‑Site Scripting via the use of add_query_arg without proper escaping in the URL, impacting all versions up to and including 1.15.30. Unauthenticated attacke...
CVE-2024-8633
CVE-2024-8633 – Form Maker by 10Web for WordPress is affected by a Stored Cross-Site Scripting (XSS) vulnerability in all versions up to 1.15.27. The root cause is insufficient input sanitization and output escaping in the plugin, which allows an authenticated attacker with Administrator-level ac...
CVE-2024-10562
CVE-2024-10562 affects the WordPress plugin Form Maker by 10Web (versions before 1.15.31). An authenticated admin can exploit a Stored Cross-Site Scripting (XSS) flaw due to incomplete sanitization/escaping of certain settings, enabling script execution in the admin context. The issue is document...
CVE-2024-34437
Technical details beyond the vulnerability description are not provided in the connected documents. No explicit exploit path, affected components, root cause, or remediation details are included. Monitor for official advisories for deeper technical information and fixes.
CVE-2024-13053
The CVE-2024-13053 entry concerns the WordPress plugin Form Maker by 10Web (prior to version 1.15.33). Root cause: certain settings are not properly sanitized/escaped, enabling Stored Cross-Site Scripting by high-privilege users (e.g., admins) even when unfiltered_html is disallowed, including mu...