Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
1. Click SendPress (which is available in left side) 2. Go to the Settings=>Forms=Create Form=>Form Type=>Signup, then click save. 3. In the Forms of Label parameters are vulnerable to Stored Cross Site Scripting. Vulnerable parameters: Salutation Label, First Name Label, Last Name Label, Phone Number Label, E-Mail Label, Button Text, Lists Label: multiple lists only and Approval Label. 5. Payload: "/>![](x)
6. Inject the above payload in above vulnerable parameters and save it. 7. The malicious JavaScript payload successfully executed.