CVE-2023-6842

Name of the Vulnerable Software and Affected Versions Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder plugin for WordPress versions up to 6.7

Description The issue is related to Stored Cross-Site Scripting via the name field label and description field label parameter due to insufficient input sanitization and output escaping. This allows authenticated attackers with administrator-level access to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability primarily affects multi-site installations and installations where unfiltered html has been disabled. However, it can also be exploited by lower-level user types if they have been granted the proper permissions in the Formidable settings.

Recommendations For versions up to 6.7, update to a version later than 6.7 to resolve the issue. As a temporary workaround, consider restricting the form creation, deletion, and other management permissions to only administrator-level users until a patch is available. Restrict access to the name field label and description field label parameters to minimize the risk of exploitation.