WordPress Form Maker by 10Web Plugin <= 1.15.18 is vulnerable to Cross Site Scripting (XSS)

Vulnerability

The Form Maker by 10Web plugin for WordPress (versions up to and including 1.15.18) contains a reflected cross-site scripting (XSS) vulnerability. The flaw exists due to insufficient input sanitization and output escaping of user-supplied parameters, allowing injection of arbitrary JavaScript into the response. No special configuration is required; the vulnerable code path is reachable via the plugin's front-end forms.

Exploitation

An unauthenticated attacker can exploit this vulnerability by crafting a malicious URL containing a payload in a vulnerable parameter. The victim must be tricked into clicking the link (e.g., via phishing or social engineering). No authentication or prior access is needed. The payload is reflected in the page and executed in the victim's browser.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to theft of session cookies, defacement, redirection to malicious sites, or other client-side attacks. The impact is limited to the victim's browser and does not grant server-side access.

Mitigation

The vendor has addressed this vulnerability in a subsequent release. Users should update the Form Maker plugin to the latest version (1.15.43 as of the reference [1]) or any version later than 1.15.18. No workarounds are documented; updating is the recommended action.