Search criteria
6 vulnerabilities found for Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder by Unknown
CVE-2022-3300 (GCVE-0-2022-3300)
Vulnerability from cvelistv5 – Published: 2022-10-25 00:00 – Updated: 2025-05-09 19:00
VLAI?
Title
Form Maker by 10Web < 1.15.6 - Admin+ SQLI
Summary
The Form Maker by 10Web WordPress plugin before 1.15.6 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin
Severity ?
7.2 (High)
CWE
- CWE-89 - SQL Injection
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder |
Affected:
1.15.6 , < 1.15.6
(custom)
|
Credits
Nguyen Duy Quoc Khanh
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:07:06.454Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/ddc9ed69-d942-4fad-bbf4-1be3b86460d9"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-3300",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-09T18:58:28.210084Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-09T19:00:42.369Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.15.6",
"status": "affected",
"version": "1.15.6",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Nguyen Duy Quoc Khanh"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Form Maker by 10Web WordPress plugin before 1.15.6 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-25T00:00:00.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"url": "https://wpscan.com/vulnerability/ddc9ed69-d942-4fad-bbf4-1be3b86460d9"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Form Maker by 10Web \u003c 1.15.6 - Admin+ SQLI",
"x_generator": "WPScan CVE Generator"
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-3300",
"datePublished": "2022-10-25T00:00:00.000Z",
"dateReserved": "2022-09-26T00:00:00.000Z",
"dateUpdated": "2025-05-09T19:00:42.369Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1564 (GCVE-0-2022-1564)
Vulnerability from cvelistv5 – Published: 2022-05-30 08:35 – Updated: 2024-08-03 00:10
VLAI?
Title
Form Maker By 10Web < 1.14.12 - Admin+ Stored Cross-Site Scripting
Summary
The Form Maker by 10Web WordPress plugin before 1.14.12 does not sanitize and escape the Custom Text settings, which could allow high privilege user such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder |
Affected:
1.14.12 , < 1.14.12
(custom)
|
Credits
Abhinav Porwal & Hitesh Kumar
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:10:03.623Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/a487c7e7-667c-4c92-a427-c43cc13b348d"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.14.12",
"status": "affected",
"version": "1.14.12",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Abhinav Porwal \u0026 Hitesh Kumar"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Form Maker by 10Web WordPress plugin before 1.14.12 does not sanitize and escape the Custom Text settings, which could allow high privilege user such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-30T08:35:57",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/a487c7e7-667c-4c92-a427-c43cc13b348d"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Form Maker By 10Web \u003c 1.14.12 - Admin+ Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-1564",
"STATE": "PUBLIC",
"TITLE": "Form Maker By 10Web \u003c 1.14.12 - Admin+ Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.14.12",
"version_value": "1.14.12"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Abhinav Porwal \u0026 Hitesh Kumar"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Form Maker by 10Web WordPress plugin before 1.14.12 does not sanitize and escape the Custom Text settings, which could allow high privilege user such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/a487c7e7-667c-4c92-a427-c43cc13b348d",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/a487c7e7-667c-4c92-a427-c43cc13b348d"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-1564",
"datePublished": "2022-05-30T08:35:57",
"dateReserved": "2022-05-03T00:00:00",
"dateUpdated": "2024-08-03T00:10:03.623Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24526 (GCVE-0-2021-24526)
Vulnerability from cvelistv5 – Published: 2021-08-16 10:48 – Updated: 2024-08-03 19:35
VLAI?
Title
Form Maker < 1.13.60 - Authenticated Stored XSS
Summary
The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder WordPress plugin before 1.13.60 does not escape its Form Title before outputting it in an attribute when editing a form in the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder |
Affected:
1.13.60 , < 1.13.60
(custom)
|
Credits
Felipe Restrepo Rodriguez
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:35:20.030Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/17287d8a-ba27-42dc-9370-a931ef404995"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.13.60",
"status": "affected",
"version": "1.13.60",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Felipe Restrepo Rodriguez"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder WordPress plugin before 1.13.60 does not escape its Form Title before outputting it in an attribute when editing a form in the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-16T10:48:26",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/17287d8a-ba27-42dc-9370-a931ef404995"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Form Maker \u003c 1.13.60 - Authenticated Stored XSS",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24526",
"STATE": "PUBLIC",
"TITLE": "Form Maker \u003c 1.13.60 - Authenticated Stored XSS"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.13.60",
"version_value": "1.13.60"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Felipe Restrepo Rodriguez"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder WordPress plugin before 1.13.60 does not escape its Form Title before outputting it in an attribute when editing a form in the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/17287d8a-ba27-42dc-9370-a931ef404995",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/17287d8a-ba27-42dc-9370-a931ef404995"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24526",
"datePublished": "2021-08-16T10:48:26",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:35:20.030Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3300 (GCVE-0-2022-3300)
Vulnerability from nvd – Published: 2022-10-25 00:00 – Updated: 2025-05-09 19:00
VLAI?
Title
Form Maker by 10Web < 1.15.6 - Admin+ SQLI
Summary
The Form Maker by 10Web WordPress plugin before 1.15.6 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin
Severity ?
7.2 (High)
CWE
- CWE-89 - SQL Injection
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder |
Affected:
1.15.6 , < 1.15.6
(custom)
|
Credits
Nguyen Duy Quoc Khanh
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:07:06.454Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/ddc9ed69-d942-4fad-bbf4-1be3b86460d9"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-3300",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-09T18:58:28.210084Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-09T19:00:42.369Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.15.6",
"status": "affected",
"version": "1.15.6",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Nguyen Duy Quoc Khanh"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Form Maker by 10Web WordPress plugin before 1.15.6 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-25T00:00:00.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"url": "https://wpscan.com/vulnerability/ddc9ed69-d942-4fad-bbf4-1be3b86460d9"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Form Maker by 10Web \u003c 1.15.6 - Admin+ SQLI",
"x_generator": "WPScan CVE Generator"
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-3300",
"datePublished": "2022-10-25T00:00:00.000Z",
"dateReserved": "2022-09-26T00:00:00.000Z",
"dateUpdated": "2025-05-09T19:00:42.369Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1564 (GCVE-0-2022-1564)
Vulnerability from nvd – Published: 2022-05-30 08:35 – Updated: 2024-08-03 00:10
VLAI?
Title
Form Maker By 10Web < 1.14.12 - Admin+ Stored Cross-Site Scripting
Summary
The Form Maker by 10Web WordPress plugin before 1.14.12 does not sanitize and escape the Custom Text settings, which could allow high privilege user such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder |
Affected:
1.14.12 , < 1.14.12
(custom)
|
Credits
Abhinav Porwal & Hitesh Kumar
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:10:03.623Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/a487c7e7-667c-4c92-a427-c43cc13b348d"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.14.12",
"status": "affected",
"version": "1.14.12",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Abhinav Porwal \u0026 Hitesh Kumar"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Form Maker by 10Web WordPress plugin before 1.14.12 does not sanitize and escape the Custom Text settings, which could allow high privilege user such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-30T08:35:57",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/a487c7e7-667c-4c92-a427-c43cc13b348d"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Form Maker By 10Web \u003c 1.14.12 - Admin+ Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-1564",
"STATE": "PUBLIC",
"TITLE": "Form Maker By 10Web \u003c 1.14.12 - Admin+ Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.14.12",
"version_value": "1.14.12"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Abhinav Porwal \u0026 Hitesh Kumar"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Form Maker by 10Web WordPress plugin before 1.14.12 does not sanitize and escape the Custom Text settings, which could allow high privilege user such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/a487c7e7-667c-4c92-a427-c43cc13b348d",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/a487c7e7-667c-4c92-a427-c43cc13b348d"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-1564",
"datePublished": "2022-05-30T08:35:57",
"dateReserved": "2022-05-03T00:00:00",
"dateUpdated": "2024-08-03T00:10:03.623Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24526 (GCVE-0-2021-24526)
Vulnerability from nvd – Published: 2021-08-16 10:48 – Updated: 2024-08-03 19:35
VLAI?
Title
Form Maker < 1.13.60 - Authenticated Stored XSS
Summary
The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder WordPress plugin before 1.13.60 does not escape its Form Title before outputting it in an attribute when editing a form in the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder |
Affected:
1.13.60 , < 1.13.60
(custom)
|
Credits
Felipe Restrepo Rodriguez
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:35:20.030Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/17287d8a-ba27-42dc-9370-a931ef404995"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.13.60",
"status": "affected",
"version": "1.13.60",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Felipe Restrepo Rodriguez"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder WordPress plugin before 1.13.60 does not escape its Form Title before outputting it in an attribute when editing a form in the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-16T10:48:26",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/17287d8a-ba27-42dc-9370-a931ef404995"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Form Maker \u003c 1.13.60 - Authenticated Stored XSS",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24526",
"STATE": "PUBLIC",
"TITLE": "Form Maker \u003c 1.13.60 - Authenticated Stored XSS"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.13.60",
"version_value": "1.13.60"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Felipe Restrepo Rodriguez"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder WordPress plugin before 1.13.60 does not escape its Form Title before outputting it in an attribute when editing a form in the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/17287d8a-ba27-42dc-9370-a931ef404995",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/17287d8a-ba27-42dc-9370-a931ef404995"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24526",
"datePublished": "2021-08-16T10:48:26",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:35:20.030Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}