Ninja Forms < 3.6.10 - Admin+ Stored Cross-Site Scripting via Import
The plugin does not sanitize and escape some imported data, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Proof of Concept
- Make a test form and then export it to your system.
- Edit the file and enter an XSS payload like "<img src=x onerror=alert('XSS')" inside the title object in the JSON file.
- Go back to the import/export tab and notice that the payload was executed