The plugin does not sanitize and escape the Custom Text settings, which could allow high privilege user such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
In a form settings, put the following payload in the Actions after submission > Action Type > Custom Text: The XSS will be triggered after a form is submitted
CPE | Name | Operator | Version |
---|---|---|---|
form-maker | lt | 1.14.12 |