Forminator < 1.24.4 - Reflected XSS

The plugin does not properly escape values that are being reflected inside form fields that use pre-populated query parameters, which could lead to reflected XSS attacks.

PoC

1. Create a “Contact Us” form from the plugin presets 2. Click on the Message field, go to the “Settings” tab and choose a name for the parameter you want to use to pre-populate that field later, and write it down to in the field to that effect, in the “query parameter” textbox. 3. Save the form, add the resulting shortcode to a post, and preview it. 4. Once on the previewed post, add the parameter you set in Step 2 to the post’s URL. Have it contain the following value: ![](x)onerror=alert(window.domain);//> The resulting URL should look something similar to the following (the parameter name I chose at step 2 is “blah”): https://example.com/?p=145&amp;preview;=true&amp;blah;=<img src=x <script>onerror=alert(window.domain);//> 5. Click on the textarea containing the seemingly encoded IMG tag, and press backspace once. This should launch the alert box.