Stored XSS Vulnerability Identified

Hello Michael,

I have recently identified that the plugin is vulnerable to Stored XSS attacks during the display of data on the admin panel. The vulnerability lies on the parsing of contact forms’ requests. When a user adds a new parameter on the post request which submits a form, the plugin adds this parameter as a new form parameter on the db. This function is where the vulnerability lies. If the user passes a parameter with the name “><script>alert(‘XSS’);</script> and any value, they would have successfully stored their javascript code on the database and thus on the admin panel whenever the admins try to view the filled forms through the plugins panel. Even if the XSS is fixed, this behavior could be also abused in order to create thousands of rows on the forms’ db table in seconds. I would suggest to only pass the original form fields on the database and not any parameter which might exist on the post request which submits the form.

Please inform me if you need any more clarifications.

Regards,
Panos