The plugin does not sanitise or escape its Form Title, allowing high privilege users such as admin to set Cross-Site Scripting payload in them, even when the unfiltered_html capability is disallowed
Create a new Form via the plugin, go to Form Settings then add the following payload in the Title field: "><img src onerror=alert(1)> and save the form The XSS will be triggered when viewing/editing the form in the admin dashboard
Felipe Restrepo Rodriguez
Felipe Restrepo Rodriguez
Yes
2021-08-09 (about 1 years ago)
2021-08-09 (about 1 years ago)
2022-02-24 (about 5 months ago)