Executive Summary

The vulnerability in the Form Maker by 10Web WordPress plugin is a Stored Cross-Site Scripting (XSS) issue affecting all versions up to and including 1.15.35. It arises because the plugin's default file upload allowlist includes SVG files, and the extension validation is weak, relying on substring checks. This allows unauthenticated attackers to upload malicious SVG files containing JavaScript code. When these files are viewed by administrators or site visitors through form file upload fields, the embedded JavaScript executes, potentially compromising the site. [3]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow unauthenticated attackers to execute arbitrary JavaScript code in the context of the affected website. This can lead to theft of sensitive information, session hijacking, defacement, or other malicious actions performed on behalf of administrators or site visitors. Since the attack vector involves uploading malicious SVG files, attackers can bypass normal file upload restrictions and compromise the site without authentication. [3]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the Form Maker by 10Web WordPress plugin is installed and running a vulnerable version (up to and including 1.15.35). Additionally, detection can involve scanning for uploaded SVG files in the form upload directories that may contain embedded JavaScript code. Since the vulnerability involves unauthenticated attackers uploading malicious SVG files, monitoring file upload fields in forms for SVG files and inspecting their content for JavaScript payloads is recommended. Specific commands are not provided in the resources, but general approaches include using file system search commands to find SVG files and inspecting them, e.g., using 'find' and 'grep' on Linux systems: - `find /path/to/wordpress/wp-content/uploads/ -name '*.svg' -exec grep -l '<script' {} +` This command searches for SVG files containing '<script' tags, which may indicate malicious JavaScript. Also, checking the plugin version can be done via WP-CLI: - `wp plugin get form-maker --field=version` If the version is 1.15.35 or lower, the site is vulnerable. [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include updating the Form Maker by 10Web plugin to a version higher than 1.15.35 where the vulnerability is fixed. If an update is not immediately possible, restrict or disable file uploads of SVG files via the plugin's settings or by applying server-side restrictions to block SVG uploads. Additionally, implement input validation and sanitization on file uploads to prevent malicious SVG files containing JavaScript from being accepted. Monitoring and removing any suspicious SVG files already uploaded is also recommended. Limiting permissions so that only authenticated and authorized users can upload files can reduce risk. Finally, consider applying Web Application Firewall (WAF) rules to block malicious payloads targeting this vulnerability. [1, 2]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0