The plugins do not sanitise and escape their Form Name, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Create a form and put the following payload in the Form Title: "><img src onerror=alert(/XSS/)> The XSS will be triggered in the Forms list, as well as when viewing/previewing the form
Felipe Restrepo Rodriguez
Felipe Restrepo Rodriguez
Yes
2022-01-31 (about 3 months ago)
2022-01-31 (about 3 months ago)
2022-04-12 (about 1 months ago)