Happyforms < 1.22.0 - Contributor+ Stored XSS

Vulnerability

The Happyforms WordPress plugin prior to version 1.22.0 fails to validate and escape some of its block options before outputting them back in a page or post where the block is embedded. This vulnerability allows stored cross-site scripting (XSS) when a user with the contributor role or higher inserts a Happyforms block with specially crafted block option values [1].

Exploitation

An attacker must have a WordPress user account with at least the contributor role, which grants the ability to create and edit posts or pages. The attacker inserts or edits a Happyforms block and sets one of the vulnerable block options to a malicious JavaScript payload. When a site administrator or other user views the affected post/page, the payload executes in their browser [1].

Impact

Successful exploitation results in stored cross-site scripting. The attacker can execute arbitrary JavaScript in the context of the victim's browser session, potentially leading to cookie theft, session hijacking, or defacement of the site. The attack targets users who view the compromised content, including administrators [1].

Mitigation

Update to Happyforms version 1.22.0 or later, which contains the fix for this vulnerability. No workaround is available for unpatched versions. The plugin is actively maintained [1].