WordPress Connect Contact Form 7, WooCommerce To Google Sheets & Other Platforms – Advanced Form Integration Plugin <= 1.62.0 is vulnerable to Cross Site Scripting (XSS)

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the Advanced Form Integration plugin for WordPress, versions 1.62.0 and earlier [1]. The issue resides in the plugin's admin-facing form integration configuration pages, where user-supplied input is not properly sanitized before being stored and later rendered. An attacker with admin-level privileges can inject arbitrary web scripts into saved settings, which are then executed in the context of the admin dashboard [1].

Exploitation

An attacker must have administrator-level access to the WordPress site (Auth. admin+) [1]. No further user interaction is required beyond saving the malicious configuration. The attacker navigates to the plugin's settings page, inserts malicious JavaScript payloads into vulnerable input fields (e.g., integration labels or mapping fields), and saves the configuration. Any subsequent admin user who views the affected settings page will trigger the stored payload [1].

Impact

Successful exploitation leads to stored cross-site scripting (XSS) [1]. This allows the attacker to execute arbitrary JavaScript in the context of another administrator's session. Impact may include privilege escalation, session hijacking, forced administrative actions, or defacement of the admin interface. The compromise is confined to the admin dashboard and does not directly affect site visitors [1].

Mitigation

A fix is available in plugin version 1.132.1 or later, released after the vulnerable 1.62.0 version [1]. Users should update to the latest version immediately. No workaround is disclosed in the available references. The plugin is actively maintained on the WordPress plugin repository. This CVE is not known to be listed in CISA's Known Exploited Vulnerabilities catalog.