FormCraft - Premium WordPress Form Builder <= v3.2.31 - Authenticated Stored XSS



Description
WordPress FormCraft Premium WordPress Form Builder versions 3.2.31 and below suffer from a persistent Cross-Site Scripting (XSS) vulnerability.
Proof of Concept
Authenticated Stored XSS:

New Form > Heading > Heading Text input field is vulnerable. The payload will execute when the form is displayed.

Affects Plugin

fixed in version 3.4

References

CVE 2017-18600
PACKETSTORM 143498
URL https://formcraft-wp.com/changelog/

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Submitter 8bitsec
Submitter Website http://8bitsec.io/
Submitter Twitter _8bitsec
Views 6078
Verified No
WPVDB ID 8877

Timeline

Publicly Published 2017-07-26 (about 2 years ago)
Added 2017-08-02 (about 2 years ago)
Last Updated 2019-09-10 (about 1 month ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin