CVE-2024-8633 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, found in the Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress. This vulnerability affects all versions up to and including 1.15.27. The root cause is insufficient sanitization of user input and inadequate escaping of output during the generation of web pages by the plugin. An attacker with authenticated Administrator-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into form fields or other input areas managed by the plugin. Once injected, the malicious script is stored persistently and executed in the context of any user who views the affected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability requires no user interaction beyond visiting the injected page but does require high privilege levels for injection, limiting the attack vector primarily to insiders or compromised admin accounts. The CVSS v3.1 base score is 5.5, indicating medium severity, with an attack vector of network, low attack complexity, high privileges required, no user interaction, and a scope change. The impact affects confidentiality and integrity but not availability. No public exploit code or active exploitation has been reported as of the publication date. The vulnerability highlights the importance of proper input validation and output encoding in WordPress plugins, especially those handling user-generated content.

The primary impact of CVE-2024-8633 is the potential compromise of user confidentiality and integrity within affected WordPress sites using the Form Maker by 10Web plugin. An attacker with Administrator privileges can inject malicious scripts that execute in the browsers of users visiting the compromised pages. This can lead to session hijacking, theft of sensitive information such as cookies or credentials, unauthorized actions performed on behalf of users, and defacement or manipulation of website content. Although the vulnerability does not affect availability, the reputational damage and potential data breaches can be significant. Organizations relying on this plugin risk insider threats or attackers who have gained admin access exploiting this vulnerability to escalate their foothold or move laterally. Since WordPress powers a large portion of websites globally, including business, government, and e-commerce sites, the scope of impact can be broad. However, the requirement for high privileges to exploit reduces the likelihood of external attackers without credentials leveraging this flaw. Still, compromised admin accounts or malicious insiders represent a critical risk vector. Failure to address this vulnerability could lead to regulatory compliance issues if user data is exposed or manipulated.

To mitigate CVE-2024-8633, organizations should immediately upgrade the Form Maker by 10Web plugin to a version that addresses this vulnerability once released by the vendor. In the absence of an official patch, administrators should restrict plugin access strictly to trusted personnel and monitor admin accounts for suspicious activity. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious script injection patterns in form inputs can provide temporary protection. Conduct thorough input validation and output encoding on all user-supplied data within the plugin’s forms if custom modifications are possible. Regularly audit and review user roles and permissions to minimize the number of users with Administrator-level access. Employ multi-factor authentication (MFA) for all admin accounts to reduce the risk of credential compromise. Additionally, monitor website logs for unusual behavior indicative of XSS exploitation attempts. Educate site administrators about the risks of stored XSS and the importance of applying security updates promptly. Finally, consider isolating critical WordPress instances or using security plugins that can detect and remediate XSS payloads.