Forminator < 1.24.4 – Reflected XSS | CVE 2023-3134

Description

The plugin does not properly escape values that are being reflected inside form fields that use pre-populated query parameters, which could lead to reflected XSS attacks.

Proof of Concept

1. Create a "Contact Us" form from the plugin presets
2. Click on the Message field, go to the "Settings" tab and choose a name for the parameter you want to use to pre-populate that field later, and write it down to in the field to that effect, in the "query parameter" textbox.
3. Save the form, add the resulting shortcode to a post, and preview it.
4. Once on the previewed post, add the parameter you set in Step 2 to the post's URL. Have it contain the following value:

```
<img src=x <script>onerror=alert(window.domain);//>
```

The resulting URL should look something similar to the following (the parameter name I chose at step 2 is "blah"): 

https://example.com/?p=145&preview=true&blah=%3Cimg%20src=x%20%3Cscript%3Eonerror=alert(window.domain);//%3E 

5. Click on the textarea containing the seemingly encoded IMG tag, and press backspace once. This should launch the alert box.