The plugin does not sanitise or escape its Form Name, allowing high privilege users such as admin to set Cross-Site Scripting payload in them, even when the unfiltered_html capability is disallowed
Create a new Form via the plugin, fill it with any values. In the next step, change the Form name to: "/> and save the form The XSS will be triggered when viewing the forms list (/wp-admin/admin.php?page=visual-form-builder) or when editing the related form
CPE | Name | Operator | Version |
---|---|---|---|
visual-form-builder | lt | 3.0.4 |