The plugin does not sanitise or escape its Form Name, allowing high privilege users such as admin to set Cross-Site Scripting payload in them, even when the unfiltered_html capability is disallowed
Create a new Form via the plugin, fill it with any values. In the next step, change the Form name to: "/><img src onerror=alert(/XSS/)> and save the form The XSS will be triggered when viewing the forms list (/wp-admin/admin.php?page=visual-form-builder) or when editing the related form
Felipe Restrepo Rodriguez
Felipe Restrepo Rodriguez
Yes
2021-09-27 (about 1 years ago)
2021-09-27 (about 1 years ago)
2022-04-14 (about 9 months ago)