CVE-2024-10562: 
WordPress vulnerability analysis and mitigation

The Form Maker by 10Web WordPress plugin before version 1.15.31 contains a stored Cross-Site Scripting (XSS) vulnerability. This security issue was discovered and publicly disclosed on December 17, 2024, and has been assigned CVE-2024-10562 (WPScan, NVD).

The vulnerability stems from improper sanitization and escaping of certain plugin settings. This security flaw could be exploited by users with high privileges, such as administrators, to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed, which is particularly relevant in multisite setups. The vulnerability has been assigned a CVSS 3.1 score of 2.7 (LOW) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N (NVD).

When exploited, this vulnerability allows high-privilege users to inject malicious JavaScript code into the plugin settings, which can then be executed in other users' browsers when they access the affected pages. This could potentially lead to unauthorized actions being performed on behalf of other users viewing the compromised form (WPScan).

The vulnerability has been patched in version 1.15.31 of the Form Maker by 10Web plugin. Users are strongly advised to update to this version or later to mitigate the security risk (WPScan).