CVE-2024-13053 is a medium-severity vulnerability classified as CWE-79 (Cross-Site Scripting, XSS) found in the WordPress plugin 'Form Maker by 10Web' prior to version 1.15.33. The vulnerability arises because the plugin fails to properly sanitize and escape certain settings, allowing high-privilege users, such as administrators, to inject and store malicious scripts. This stored XSS can be triggered even when the WordPress capability 'unfiltered_html' is disabled, which is common in multisite WordPress setups to restrict HTML input. The vulnerability requires high privileges (admin level) and user interaction to exploit, as an attacker must have access to the plugin settings interface to inject the payload. The CVSS 3.1 base score is 4.8 (medium), reflecting that the attack vector is network-based, with low attack complexity, but requiring high privileges and user interaction. The impact includes limited confidentiality and integrity compromise, as malicious scripts could execute in the context of other administrators or users viewing the affected settings, potentially leading to session hijacking, privilege escalation, or further attacks within the WordPress environment. There are no known exploits in the wild at this time, and no official patches have been linked yet. The vulnerability affects all versions before 1.15.33, and the plugin is widely used for creating forms on WordPress sites, which are common across many industries and organizations.

For European organizations using WordPress sites with the Form Maker by 10Web plugin, this vulnerability poses a moderate risk. Since exploitation requires administrator-level access, the threat is primarily from insider threats or attackers who have already compromised admin credentials. Successful exploitation could allow attackers to execute malicious scripts in the admin interface, potentially leading to session hijacking, unauthorized changes to site content or configuration, and lateral movement within the WordPress environment. This could disrupt business operations, damage reputation, and lead to data leakage. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and government, may face compliance risks if the vulnerability is exploited. Multisite WordPress installations, common in large organizations, are particularly at risk due to the disabling of 'unfiltered_html' capability, which this vulnerability bypasses. Although the vulnerability does not directly allow remote code execution or full site takeover without prior admin access, it lowers the security posture and could be leveraged as part of a multi-stage attack.

European organizations should immediately verify if they use the Form Maker by 10Web plugin and identify the plugin version. If the version is prior to 1.15.33, they should prioritize updating to the latest version as soon as it becomes available. In the absence of an official patch, organizations can mitigate risk by restricting admin access strictly to trusted personnel, implementing strong multi-factor authentication (MFA) for all admin accounts, and monitoring admin activities for suspicious behavior. Additionally, applying Web Application Firewall (WAF) rules to detect and block common XSS payloads targeting the plugin’s settings pages can provide temporary protection. Organizations should also audit their multisite WordPress configurations to ensure that capability restrictions are properly enforced and consider additional input validation or sanitization plugins as a defense-in-depth measure. Regular security training for administrators on safe plugin management and recognizing phishing or credential compromise attempts will reduce the risk of initial admin account takeover.