The plugin does not sanitise and escape its Form’s Labels, allowing high privileged users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
Create/edit a form, add the following payload to a Field Label: The XSS will be triggered when viewing/previewing the Form
CPE | Name | Operator | Version |
---|---|---|---|
formidable | lt | 5.0.07 |