A high-severity vulnerability exists in the Form Maker plugin for WordPress, allowing attackers to inject malicious code into websites. This code, hidden within a form, executes in the browsers of site administrators or users viewing the form data, potentially leading to account takeovers, data theft, and website defacement. Organizations using this plugin are at significant risk of compromise and should apply updates immediately.

The vulnerability is a Stored Cross-Site Scripting (XSS) flaw. An unauthenticated attacker can craft a malicious JavaScript payload and submit it through a form created by the plugin, specifically within a hidden field. The plugin fails to properly sanitize or validate the content of this hidden field before saving it to the database. When a privileged user, such as an administrator, views the submitted form data in the WordPress backend, the stored malicious script executes within the context of their browser session, potentially allowing the attacker to steal session cookies, perform actions on behalf of the administrator, or redirect them to malicious sites.

This vulnerability is rated as High severity with a CVSS score of 7.1. Exploitation could have a significant negative impact on the business. Successful exploitation could lead to the complete compromise of the WordPress site if an administrator's session is hijacked. Specific risks include the theft of sensitive user data submitted through forms, reputational damage from website defacement, loss of customer trust, and the potential for the compromised website to be used as a platform for further attacks against its visitors.

Immediate Action: Immediately update the Form Maker plugin to the latest version provided by the vendor, which contains a patch for this vulnerability. If the plugin is not essential for business operations, consider deactivating and removing it entirely to reduce the overall attack surface. Conduct a review of all WordPress security settings to ensure they align with security best practices.

Proactive Monitoring: Security teams should monitor web server logs and database records for form submissions containing suspicious strings, such as <script>, onerror, onload, or other HTML/JavaScript tags. A Web Application Firewall (WAF) should be configured to log and block XSS attack patterns. Monitor for unauthorized administrative activities, such as new user creation or plugin/theme modifications.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with strict rules designed to detect and block XSS payloads in POST requests. Additionally, implementing a strong Content Security Policy (CSP) can help mitigate the risk by preventing the execution of unauthorized inline scripts. Access to the backend pages where form submissions are viewed should be restricted to the minimum number of trusted personnel.

Public Exploit Available: false

Given the high severity (CVSS 7.1) and the potential for a complete site takeover, we strongly recommend that organizations identify all websites using the vulnerable Form Maker plugin and apply the necessary updates immediately. This vulnerability should be prioritized for remediation. While this CVE is not currently listed on the CISA KEV (Known Exploited Vulnerabilities) catalog, its impact warrants urgent attention to prevent potential compromise of web assets and sensitive user data.