The plugin does not sanitise and escape user input given in its forms, which could allow unauthenticated attackers to perform Cross-Site Scripting attacks against admins
As unauthenticated, on a page/post where there is a contact form created via the plugin, put the following payload in the Name, Subject and Message fields: <img src onerror=alert(/XSS/)> The XSS will be triggered when an admin will view the related entry
Rafshanzani Suhada
Rafshanzani Suhada
Yes
2022-08-10 (about 9 months ago)
2022-08-10 (about 9 months ago)
2023-05-07 (about 27 days ago)