CVE-2024-2258 MEDIUM

CVE-2024-2258: Form Maker by 10Web <= 1.15.24 - Authenticated (Subscriber+) Stored Self-Based Cross-Site Scripting

Vendor 10Web
Product Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
Weakness CWE-79 · XSS
Published April 27, 2024
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

4.4/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a user's display name autofilled into forms in all versions up to, and including, 1.15.24 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Key dates

02Disclosure timeline

April 27, 2024 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-1187 ZoomifyWP Free <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'filename' Shortcode Attribute CVE-2025-3878 SMS Alert Order Notifications – WooCommerce <= 3.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via sa_verify Shortcode CVE-2026-3347 Multi Functional Flexi Lightbox <= 1.2 - Authenticated (Admin+) Stored Cross-Site Scripting via 'message' Parameter CVE-2026-5783 Reflected XSS in Beyaz Computer's CityPLus CVE-2025-3994 TOTOLINK N150RT IP Port Filtering home.htm cross site scripting