CVE-2023-33971

Name of the Vulnerable Software and Affected Versions Formcreator versions 2.13.5 and prior

Description A stored cross-site scripting issue is present in the Formcreator plugin, potentially allowing arbitrary javascript code execution in an admin or tech context. This is due to the use of ##FULLFORM## for rendering. The estimated number of potentially affected devices is not specified. There is no information about real-world incidents where this issue was exploited. Technical details about exploitation include the use of ##FULLFORM## which could lead to the execution of arbitrary javascript code. As a mitigation measure, using a regular expression to remove <, >, and " in all fields can help minimize the risk.

Recommendations For Formcreator versions 2.13.5 and prior, as a temporary workaround, consider using a regular expression to remove <, >, and " in all fields to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.