FormCraft - Premium WordPress Form Builder <= v3.2.31 - Authenticated Stored XSS

Description

WordPress FormCraft Premium WordPress Form Builder versions 3.2.31 and below suffer from a persistent Cross-Site Scripting (XSS) vulnerability.

Proof of Concept

Authenticated Stored XSS:

New Form > Heading > Heading Text input field is vulnerable. The payload will execute when the form is displayed.

Affects Plugin

fixed in version 3.4

CVE	2017-18600
PacketStorm	143498
URL	https://formcraft-wp.com/changelog/