CVE-2023-0546

Name of the Vulnerable Software and Affected Versions Contact Form Plugin WordPress plugin versions prior to 4.3.25

Description The issue allows a logged-in user with roles as low as contributor to inject arbitrary JavaScript into a form. This can be achieved by exploiting the improper sanitization and escaping of the srcdoc attribute in iframes within the plugin's custom HTML field type. The injected JavaScript will trigger for any visitor to the form or for admins previewing or editing the form.

Recommendations For versions prior to 4.3.25, update to version 4.3.25 or later to resolve the issue. As a temporary workaround, consider restricting access to the custom HTML field type in the Contact Form Plugin to prevent potential exploitation until the update can be applied.