Description The plugin does not sanitize and escape its label fields, which could allow high privilege users such as admin to perform Stored XSS attacks. Only users with the unfiltered_html capability can perform this, and such users are already allowed to use JS in posts/comments etc however the vendor acknowledged and fixed the issue
1. Install and activate the Ninja Forms WordPress
2. As an admin with the unfiltered_html capability, create a new form.
3. In the form settings, add a new text field.
4. In the field label, enter the following code: <img src=x onerror=alert(1)>, or Name<a href=javascript:alert(/XSS-1/) onfocus=alert(/XSS-2/) autofocus>ClickME, maybe</a>
5. Save the form.
The XSS will be triggered when viewing the form in the frontend, as well as when editing the form in the backend