Description The plugin does not sanitise and escape some parameters, which could allow unauthenticated users to perform Cross-Site Scripting attacks
1. Create a contact form 2. Embed the contact form shortcode on a post or page. 3. As an Unauthitncated user, inject the inputs for a malicious script such as `` into the name field 4. Go to the “Leads” section as an admin 5. See the XSS
CPE | Name | Operator | Version |
---|---|---|---|
eq | 3.4 |