The FormBuilder WordPress plugin through 1.08 does not have CSRF checks in place when creating/updating and deleting forms, and does not sanitise as well as escape its form field values. As a result, attackers could make logged in admin update and delete arbitrary forms via a CSRF attack, and put Cross-Site Scripting payloads in them.
[
{
"product": "FormBuilder",
"vendor": "Unknown",
"versions": [
{
"lessThanOrEqual": "1.08",
"status": "affected",
"version": "1.08",
"versionType": "custom"
}
]
}
]