WordPress FormCraft Premium WordPress Form Builder versions 3.2.31 and below suffer from a persistent Cross-Site Scripting (XSS) vulnerability.
Authenticated Stored XSS:
New Form > Heading > Heading Text input field is vulnerable. The payload will execute when the form is displayed.