Mohamed Azarudheen

**Name of the Vulnerable Software and Affected Versions** The Responsive Contact Form Builder & Lead Generation Plugin WordPress plugin versions 1.8.9 and earlier **Description** The issue concerns the lack of sanitization and escaping of some settings in the plugin, which could allow high-privilege users, such as admins, to perform Stored Cross-Site Scripting attacks. This is possible even when the unfiltered html capability is disallowed, for example, in a multisite setup. **Recommendations** For versions 1.8.9 and earlier, update to a version that addresses this issue, as the current version does not properly sanitize and escape its settings, posing a risk of Stored Cross-Site Scripting attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Contact Form Email WordPress plugin versions prior to 1.3.44 **Description** The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example, in a multisite setup. This is due to the plugin not sanitizing and escaping some of its settings. **Recommendations** For versions prior to 1.3.44, update to version 1.3.44 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's settings to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Forminator WordPress plugin versions prior to 1.27.0 **Description** The issue arises from improper sanitization of the `redirect-url` field in form submission settings. This could allow high-privilege users, such as administrators, to inject arbitrary web scripts, even when the `unfiltered html` capability is disallowed, for example, in a multisite setup. **Recommendations** For versions prior to 1.27.0, update to version 1.27.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the form submission settings to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** User Registration WordPress plugin versions prior to 3.0.4.2 **Description** The issue allows high-privilege users, such as admins, to perform Stored Cross-Site Scripting attacks. This is possible because the plugin does not properly sanitize and escape some of its settings, even when the unfiltered html capability is disallowed, for example, in a multisite setup. **Recommendations** For versions prior to 3.0.4.2, update to version 3.0.4.2 or later to resolve the issue. As a temporary workaround, consider restricting the ability of high-privilege users to modify plugin settings until the update is applied.