CVE-2023-45071: 
WordPress vulnerability analysis and mitigation

An unauthenticated Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder WordPress plugin versions 1.15.18 and earlier. The vulnerability was disclosed on October 18, 2023 (NVD, Patchstack).

The vulnerability has been assigned CVE-2023-45071 and is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). It received a CVSS v3.1 base score of 6.1 (MEDIUM) from NIST with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, while Patchstack assessed it with a higher CVSS score of 7.1 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L (NVD).

This vulnerability could allow malicious actors to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into the website which will be executed when guests visit the site (Patchstack).

Users are advised to update to version 1.15.19 or later to resolve the vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking any attacks until users update to a fixed version (Patchstack).