CVE-2024-2112: 
WordPress vulnerability analysis and mitigation

The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress contains a Sensitive Information Exposure vulnerability (CVE-2024-2112) affecting all versions up to and including 1.15.22. The vulnerability exists in the signature functionality, allowing unauthenticated attackers to extract sensitive data including user signatures (Wordfence).

The vulnerability has been assigned a CVSS v3.1 Base Score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N. This indicates that the vulnerability can be exploited over the network (AV:N), requires high attack complexity (AC:H), needs no privileges (PR:N), requires no user interaction (UI:N), has unchanged scope (S:U), and can result in high confidentiality impact (C:H) but no impact on integrity (I:N) or availability (A:N) (NVD).

The vulnerability allows unauthorized access to sensitive information, specifically user signatures, which could potentially be exploited by malicious actors to gather confidential data from affected WordPress installations (Wordfence).

Users should update to version 1.15.23 or later of the Form Maker plugin to address this vulnerability (WordPress).