Description The plugin does not sanitize and escape its label fields, which could allow high privilege users such as admin to perform Stored XSS attacks. Only users with the unfiltered_html capability can perform this, and such users are already allowed to use JS in posts/comments etc however the vendor acknowledged and fixed the issue
1. Install and activate the Ninja Forms WordPress 2. As an admin with the unfiltered_html capability, create a new form. 3. In the form settings, add a new text field. 4. In the field label, enter the following code: , or NameClickME, maybe 5. Save the form. The XSS will be triggered when viewing the form in the frontend, as well as when editing the form in the backend