The Contact Form Plugin WordPress plugin before 4.3.25 does not properly sanitize and escape the srcdoc attribute in iframes in it’s custom HTML field type, allowing a logged in user with roles as low as contributor to inject arbitrary javascript into a form which will trigger for any visitor to the form or admins previewing or editing the form.
[
{
"vendor": "Unknown",
"product": "Contact Form Plugin",
"versions": [
{
"status": "affected",
"versionType": "custom",
"version": "0",
"lessThan": "4.3.25"
}
],
"defaultStatus": "unaffected",
"collectionURL": "https://wordpress.org/plugins"
}
]