youForms for WordPress <= 1.0.5 - Authenticated Stored Cross-Site Scripting

Vulnerability

The youForms for WordPress plugin through version 1.0.5 fails to sanitize or escape the Button Text field within its Templates [1]. This allows high-privilege users (editors and administrators) to inject arbitrary JavaScript or HTML into the field, which is stored and later executed in the context of the WordPress admin area. The vulnerability exists even when the unfiltered_html capability is disallowed [1].

Exploitation

An attacker must have editor or administrator access to the WordPress site to exploit the vulnerability [1]. No other special network position or user interaction (beyond the victim administrator viewing the stored data) is required. The attacker simply navigates to the plugin's template settings, locates the Button Text field, and enters a payload string containing JavaScript code. The plugin stores the payload unsanitized [1].

Impact

When a user with sufficient privileges (e.g., another administrator) views the affected template in the admin interface, the stored payload executes as Cross-Site Scripting (XSS). An attacker can use this to perform actions such as stealing session cookies, forging administrator requests, or defacing the admin panel [1]. The compromise operates within the context of the affected WordPress admin user's session.

Mitigation

As of the latest referenced information, no fix has been released for this vulnerability [1]. The plugin has not received an update beyond version 1.0.5. A recommended mitigation is to restrict editor and administrator accounts to trusted users only, or to disable or replace the plugin if the risk is unacceptable. The CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.