The plugin does not escape its form name, which could lead to Stored Cross-Site Scripting issues. By default only SuperAdmins (in multisite) / admins (in single site) can create forms, however there is a settings allowing them to give lower roles access to such feature.
Create a new form with the following name: " style=animation-name:rotation onanimationstart=alert(/XSS/)// Save it and access the plugin’s dashboard again to trigger the XSS
CPE | Name | Operator | Version |
---|---|---|---|
nex-forms-express-wp-form-builder | lt | 8.4.4 |