The plugin does not escape its Form Title before outputting it in an attribute when editing a form in the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue
Create or edit a form and add the following payload in the Form Title field "autofocus onmouseover=alert(/XSS/)// save it and move the mouse over the Title field Edit (WPScanTeam): better payload (no interaction needed other than editing the affected Form): " style="animation-name:rotation" onanimationstart="alert(/XSS/)//
Felipe Restrepo Rodriguez
Felipe Restrepo Rodriguez
Yes
2021-07-15 (about 10 months ago)
2021-07-15 (about 10 months ago)
2021-07-30 (about 9 months ago)