National Vulnerability Database (NVD) issued an advisory on XSS vulnerability.
The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP).
The NVD describes the reason for the vulnerability and how an attack can happen: “The Popup Maker WordPress plugin before 1.16.9 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks.”
Websites who have the contact form plugin installed should consider updating the latest version. No matter what type of site you run, GetGoingHub can scan your site for security vulnerabilities, malware, and online threats.
XSS vulnerabilities generally occur when an input fails to sanitize what is being uploaded. Sanitization may occur following input (input sanitization) or before the data is passed across a trust boundary (output sanitization). Trust boundary is the point where you can expect threats and determine who has control over your web server, business logics and database.
Anywhere that a user can input data can become vulnerable since there is a lack of control over what can be uploaded. Especially in those contact forms on websites that are created using WordPress plugin are prone to vulnerability that lets attackers upload arbitrary files because the plugin fails to properly sanitize user-supplied input.
An attacker can exploit XSS vulnerability to execute any code or commands to target a website or server without the owner’s knowledge This may facilitate unauthorized access or privilege escalation attacks including vertical and horizontal. Vertical attacks are when an attacker gains unauthorized privileged access into a system or account with the intent to perform actions as that user. Horizontal attacks gain access to account(s) with limited permissions requiring an escalation of privileges, such as to an administrator role, to perform the desired actions.