Jetpack CRM < 5.5 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins

PoC

As a contributor, create a post/page with the following payload (a form from the plugin with id 1 must exist): [jetpackcrm_form id=‘1"style=position:absolute;top:0;left:0;max-width:9999px;width:9999px;height:9999px onmouseover=alert(/XSS/)//’ style=‘simple’] The XSS will be triggered when the post/page is previewed/viewed and the mouse moved anywhere