David Jones

**Name of the Vulnerable Software and Affected Versions** The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress versions up to, and including, 1.15.21 **Description** The issue is due to missing or incorrect nonce validation on the `execute` function, making it possible for unauthenticated attackers to execute arbitrary methods in the `BoosterController` class via a forged request. This can be achieved if attackers can trick a site administrator into performing an action such as clicking on a link. **Recommendations** For versions up to, and including, 1.15.21, consider disabling the `execute` function in the `BoosterController` class until a patch is available to prevent exploitation. Restrict access to the `BoosterController` class to minimize the risk of arbitrary method execution. Avoid using the `execute` function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.