XSS in 10web Form_maker
CVE-2022-1564
The Form Maker by 10Web WordPress plugin before 1.14.12 does not sanitize and escape the Custom Text settings, which could allow high privilege user such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallo…
Vulnerability class: XSS (Cross-Site Scripting)
EPSS: 0.010 (58.3th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 4.8 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N.
Affected products
- 10web Form_maker
- Unknown Form Maker By 10web – Mobile-friendly Drag & Drop Contact Builder — versions 1.14.12
Weakness classification (CWE)
Public proof-of-concept exploits
References
- contact@wpscan.com (Exploit, Third Party Advisory, x_refsource_MISC)
Frequently asked questions
- What is CVE-2022-1564?
- CVE-2022-1564 is a medium-severity vulnerability in 10web Form_maker, classified under Cross-site Scripting. CVSS score: 4.8/10. Published 2022-05-30.
- How severe is CVE-2022-1564?
- Medium severity. CVSS v3 base score is 4.8 out of 10.
- Is CVE-2022-1564 known to be exploited?
- 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.