The plugin does not properly sanitize some of its settings allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
Put the following payload in the From/Replyto Name field at ARForms Lite > General Settings > Email Settings: "><script>alert(/XSS/)</script>
Dhananjaygarg
Dhananjaygarg
Yes
2021-11-02 (about 1 years ago)
2021-11-02 (about 1 years ago)
2022-04-13 (about 1 years ago)