cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score
CVE-2024-10562,https://securityvulnerability.io/vulnerability/CVE-2024-10562,Stored Cross-Site Scripting Vulnerability in Form Maker by 10Web for WordPress,"The Form Maker plugin by 10Web for WordPress, when used in versions earlier than 1.15.31, is susceptible to a stored cross-site scripting (XSS) vulnerability. This issue arises because certain plugin settings are not properly sanitized or escaped. As a result, users with high privileges, such as administrators, may inadvertently execute malicious scripts even in configurations where the 'unfiltered_html' capability is disabled, potentially exposing WordPress multisite setups to significant security risks.",Wordpress,Form Maker By 10web,,,0.0004299999854993075,false,,false,false,true,true,false,false,2025-01-07T06:00:03.350Z,0
CVE-2024-11934,https://securityvulnerability.io/vulnerability/CVE-2024-11934,Stored Cross-Site Scripting in Formaloo Form Maker & Customer Analytics Plugin for WordPress,"The Formaloo Form Maker & Customer Analytics plugin for WordPress has a vulnerability that allows attackers with Contributor-level access and above to inject arbitrary web scripts into pages. This issue arises from insufficient input sanitization and output escaping related to the 'address' parameter. As a result, when users access a page with a malicious script injected, it gets executed, potentially compromising user data and security.",Wordpress,Formaloo Form Maker & Customer Analytics For WordPress & WooCommerce,6.4,MEDIUM,0.0005300000193528831,false,,false,false,false,false,false,false,2025-01-07T03:21:54.579Z,0
CVE-2024-10265,https://securityvulnerability.io/vulnerability/CVE-2024-10265,Unauthenticated Attackers Can Trick Users into Injecting Arbitrary Scripts: The Form Maker by 10Web Plugin Vulnerability,"The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.15.30. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.",Wordpress,Form Maker By 10web – Mobile-friendly Drag & Drop Contact Form Builder,6.1,MEDIUM,0.0005200000014156103,false,,false,false,false,,false,false,2024-11-10T12:30:34.046Z,0
CVE-2024-8633,https://securityvulnerability.io/vulnerability/CVE-2024-8633,Stored Cross-Site Scripting Vulnerability in The Form Maker,"The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.15.27 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",Wordpress,Form Maker By 10web – Mobile-friendly Drag & Drop Contact Form Builder,4.8,MEDIUM,0.0005300000193528831,false,,false,false,false,,false,false,2024-09-26T11:32:38.668Z,0
CVE-2024-6130,https://securityvulnerability.io/vulnerability/CVE-2024-6130,Unfiltered HTML Setting Vulnerability in The Form Maker WordPress Plugin Allows Stored Cross-Site Scripting Attacks,"The Form Maker by 10Web  WordPress plugin before 1.15.26 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)",Wordpress,Form Maker By 10web,,,0.0004299999854993075,false,,false,false,true,true,false,false,2024-07-01T06:00:01.641Z,0
CVE-2024-3155,https://securityvulnerability.io/vulnerability/CVE-2024-3155,Stored Cross-Site Scripting Vulnerability in Combo Blocks Plugin for WordPress,"The Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel – Combo Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in all versions up to, and including, 2.2.80 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",Wordpress,"Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel – Combo Blocks",6.4,MEDIUM,0.0004299999854993075,false,,false,false,false,,false,false,2024-05-21T02:32:59.318Z,0
CVE-2024-2258,https://securityvulnerability.io/vulnerability/CVE-2024-2258,Stored Cross-Site Scripting Vulnerability in The Form Maker for WordPress,"The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a user's display name autofilled into forms in all versions up to, and including, 1.15.24 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",Wordpress,Form Maker By 10web – Mobile-friendly Drag & Drop Contact Form Builder,4.4,MEDIUM,0.0004299999854993075,false,,false,false,false,,false,false,2024-04-27T03:33:35.216Z,0
CVE-2024-0881,https://securityvulnerability.io/vulnerability/CVE-2024-0881,Unauthenticated Access to Password Protected Posts in Post Grid Plugin,"The Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel  WordPress plugin before 2.2.76 does not have proper authorization, resulting in password protected posts to be displayed in the result of some unauthenticated AJAX actions, allowing unauthenticated users to read such posts",Wordpress,"Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel",,,0.000590000010561198,false,,false,false,true,true,false,false,2024-04-11T15:36:31.247Z,0
CVE-2024-2112,https://securityvulnerability.io/vulnerability/CVE-2024-2112,Sensitive Information Exposure in Form Maker Plugin for WordPress by 10Web,"The Form Maker plugin by 10Web for WordPress is susceptible to a vulnerability that allows unauthenticated attackers to gain access to sensitive information through the signature functionality. This exposure enables attackers to extract critical user data, including signatures, from all versions of the plugin up to and including 1.15.22. It is important for users of the plugin to update to the latest version to mitigate this issue and protect their sensitive data.",Wordpress,Form Maker By 10web – Mobile-friendly Drag & Drop Contact Form Builder,5.9,MEDIUM,0.0004299999854993075,false,,false,false,false,,false,false,2024-04-09T18:58:49.733Z,0
CVE-2023-7072,https://securityvulnerability.io/vulnerability/CVE-2023-7072,Sensitive Information Exposure Vulnerability Affects The Post Grid Combo Plugin,"The Post Grid Combo – 36+ Gutenberg Blocks plugin for WordPress has a vulnerability that allows unauthenticated attackers to access sensitive data through the 'get_posts' REST API endpoint. This issue affects all versions up to and including 2.2.68, enabling unauthorized users to extract full draft posts, password-protected content, and the passwords for those protected posts. As a result, this vulnerability poses a significant risk to the confidentiality of user data and requires prompt remediation.",Wordpress,"Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel – Combo Blocks",7.5,HIGH,0.00044999999227002263,false,,false,false,false,,false,false,2024-03-12T22:32:27.035Z,0
CVE-2024-0667,https://securityvulnerability.io/vulnerability/CVE-2024-0667,Cross-Site Request Forgery Vulnerability in Form Maker by 10Web for WordPress,"The Form Maker by 10Web plugin for WordPress is susceptible to a Cross-Site Request Forgery (CSRF) vulnerability. This flaw is rooted in the absence of proper nonce validation within the 'execute' function, allowing unauthenticated attackers to execute arbitrary methods within the 'BoosterController' class. Attackers could exploit this vulnerability by tricking an administrator into clicking a malicious link, potentially compromising the site's functionality and security.",Wordpress,Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder,6.3,MEDIUM,0.0006500000017695129,false,,false,false,false,,false,false,2024-01-27T03:32:46.380Z,0
CVE-2023-6645,https://securityvulnerability.io/vulnerability/CVE-2023-6645,Stored Cross-Site Scripting in Post Grid Combo Plugin for WordPress,"The Post Grid Combo – 36+ Gutenberg Blocks plugin for WordPress is susceptible to Stored Cross-Site Scripting (XSS) due to inadequate input sanitization and output escaping processes. This vulnerability affects all versions up to and including 2.2.64. Authenticated attackers with contributor access and higher can exploit this flaw to inject malicious web scripts into pages, which will subsequently execute when users visit those compromised pages, leading to potential data compromise and user session hijacking.",Wordpress,"Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel – Combo Blocks",5.4,MEDIUM,0.0004799999878741801,false,,false,false,false,,false,false,2024-01-11T08:32:49.663Z,0
CVE-2023-4666,https://securityvulnerability.io/vulnerability/CVE-2023-4666,Form-Maker < 1.15.20 - Unauthenticated Arbitrary File Upload,"The Form Maker by 10Web plugin for WordPress prior to version 1.15.20 contains a security flaw due to the lack of proper validation of user input when generating signatures on the server. This weakness allows unauthenticated attackers to craft arbitrary files, which could potentially lead to remote code execution. It is crucial for users to update to the latest version to mitigate this risk.",Wordpress,Form Maker by 10Web,9.8,CRITICAL,0.0052200001664459705,false,,false,false,false,,false,false,2023-10-16T20:15:00.000Z,0
CVE-2022-3300,https://securityvulnerability.io/vulnerability/CVE-2022-3300,Form Maker by 10Web < 1.15.6 - Admin+ SQLI,"The Form Maker by 10Web WordPress plugin before 1.15.6 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin",Wordpress,Form Maker By 10web – Mobile-friendly Drag & Drop Contact Form Builder,7.2,HIGH,0.0014199999859556556,false,,false,false,false,,false,false,2022-10-25T00:00:00.000Z,0
CVE-2022-1564,https://securityvulnerability.io/vulnerability/CVE-2022-1564,Form Maker By 10Web < 1.14.12 - Admin+ Stored Cross-Site Scripting,"The Form Maker by 10Web WordPress plugin before 1.14.12 does not sanitize and escape the Custom Text settings, which could allow high privilege user such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed",Wordpress,Form Maker By 10web – Mobile-friendly Drag & Drop Contact Form Builder,4.8,MEDIUM,0.000539999979082495,false,,false,false,false,,false,false,2022-05-30T08:35:57.000Z,0
CVE-2021-24526,https://securityvulnerability.io/vulnerability/CVE-2021-24526,Form Maker < 1.13.60 - Authenticated Stored XSS,"The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder WordPress plugin before 1.13.60 does not escape its Form Title before outputting it in an attribute when editing a form in the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue",Wordpress,Form Maker By 10web – Mobile-friendly Drag & Drop Contact Form Builder,5.4,MEDIUM,0.000539999979082495,false,,false,false,false,,false,false,2021-08-16T10:48:26.000Z,0
CVE-2019-10866,https://securityvulnerability.io/vulnerability/CVE-2019-10866,,"In the Form Maker plugin before 1.13.3 for WordPress, it's possible to achieve SQL injection in the function get_labels_parameters in the file form-maker/admin/models/Submissions_fm.php with a crafted value of the /models/Submissioc parameter.",Wordpress,Form Maker,9.8,CRITICAL,0.002420000033453107,false,,false,false,false,,false,false,2019-05-23T18:34:28.000Z,0
CVE-2019-11590,https://securityvulnerability.io/vulnerability/CVE-2019-11590,,"The 10Web Form Maker plugin before 1.13.5 for WordPress allows CSRF via the wp-admin/admin-ajax.php action parameter, with resultant local file inclusion via directory traversal, because there can be a discrepancy between the $_POST['action'] value and the $_GET['action'] value, and the latter is unsanitized.",Wordpress,Form Maker,8.8,HIGH,0.0025500000920146704,false,,false,false,false,,false,false,2019-04-29T13:46:30.000Z,0
CVE-2018-10504,https://securityvulnerability.io/vulnerability/CVE-2018-10504,,"The WebDorado ""Form Maker by WD"" plugin before 1.12.24 for WordPress allows CSV injection.",Wordpress,Form Maker,7.8,HIGH,0.0011500000255182385,false,,false,false,false,,false,false,2018-04-27T16:00:00.000Z,0