The plugin does not sanitise and escape the Form Title before outputting it in some admin pages. which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.
1. go to Forms. 2. go to Add New Form 3. In th title put <script>alert("Ehlo");</script> 4. Save setting and then go to the urls: https://example.com/wp-admin/admin.php?page=accua_forms_submissions_list and https://example.com/wp-admin/admin.php?page=accua_forms_list
Felipe Restrepo Rodriguez, Sebastian Cruz Cardona
Sebastian Cruz Cardona
Yes
2021-09-27 (about 1 years ago)
2021-09-27 (about 1 years ago)
2022-04-08 (about 9 months ago)