CVE-2024-10593
WPForms – Easy Form Builder for WordPress <= 1.9.1.6 - Cross-Site Request Forgery (CSRF) to Plugin's Log DeletionThe WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.1.6. This is due to missing or incorrect nonce validation on the process_admin_ui function. This makes it possible for unauthenticated attackers to delete WPForm logs via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
We have discovered 203,663 live websites that are affected by CVE-2024-10593.
Affected Software
| Product |  WPForms |
| Category | Form Builders |
| Vulnerable Domains | 203,663 live websites (39% of WPForms install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 185 versions ( 87% of all versions) |
Common Weakness Enumeration
CWE-352 Cross-Site Request Forgery (CSRF)Details
- Published - Nov 13, 2024
- Updated - Nov 13, 2024
Credits
- Asaf Mozes (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2024-10593 United States | 57,325 websites |
 Germany | 20,118 websites |
 France | 11,539 websites |
 GB | 10,758 websites |
 Italy | 7,297 websites |
 Netherlands | 6,030 websites |
 Spain | 5,796 websites |
 India | 5,290 websites |
 Brazil | 5,146 websites |
 Poland | 4,673 websites |
Website Distribution by TLD
Number of websites using CVE-2024-10593| .com | 87,750 websites |
| .de | 10,100 websites |
| .org | 9,150 websites |
| .co.uk | 6,380 websites |
| .nl | 5,489 websites |
| .it | 5,199 websites |
| .fr | 4,875 websites |
| .com.br | 4,724 websites |
| .net | 4,407 websites |
| .pl | 3,522 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-10593
Top websites that are affected by CVE-2024-10593. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| **********.******.com | United States | *** | |
| ****************.com | United States | *,*** | |
| ******.com | United States | *,*** | |
| ******.com | United States | *,*** | |
| *******.org | Germany | *,*** | |
| *************.com | United States | *,*** | |
| ****.bg |  Bulgaria | *,*** | |
| ****************.org | United States | **,*** | |
| ***********.com | Italy | **,*** | |
| *********************.es | Spain | **,*** |
FAQ
CVE-2024-10593 is Cross-Site Request Forgery (CSRF) in WPForms
A total of 203,663 websites have been identified as vulnerable to CVE-2024-10593, based on global website indexing conducted by WebTechSurvey.
The WPForms is affected by the CVE-2024-10593 vulnerability.
WPForms versions up to and including 1.9.1.6 are vulnerable to CVE-2024-10593.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/6d1ea80a-a1ce-4964-8dde-f3ed2df5537c?source=cve
- https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.9.1.6/src/Admin/Tools/Views/Logs.php#L269
- https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.9.1.6/src/Logger/ListTable.php#L394