Form Maker Plugin for WordPress Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Form Maker plugin for WordPress, affecting all versions through 1.15.35. The issue arises from inadequate output escaping of hidden field values in the admin submissions list. The plugin's use of html_entity_decode() on user-supplied hidden field values, without proper escaping before output, allows HTML entity-encoded payloads to be converted back into executable JavaScript. This vulnerability enables unauthenticated attackers to inject arbitrary web scripts into the admin submissions view, where they will execute whenever an administrator accesses the submissions list.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the submissions list, potentially leading to administrative account compromise.

Reproduction

To reproduce this vulnerability, upload a form using the Form Maker plugin that includes hidden fields. After the form is submitted, the injected script will execute when an administrator views the submissions list.

Remediation

Users are advised to update the Form Maker plugin to version 1.15.36 or later.