After version 4.3.24 of the WordPress plugin Fluent Forms was released, the developer made an additional change to that version with no description of the change. That change was flagged by our machine learning system, which tries to catch security fixes being made without it being disclosed.

Looking at the changes made, it looked like there was a security change being made, but the wrong one. For example, in the file /app/Services/FormBuilder/Components/Address.php, this line was changed:

59

echo '<label aria-label='."$label".'>' . fluentform_sanitize_html($data['settings']['label']) . '</label>';

It was changed to add a sanitization function, wp_strip_all_tag(), which removes HTML tags:

59

echo '<label aria-label='.wp_strip_all_tags("$label").'>' . fluentform_sanitize_html($data['settings']['label']) . '</label>';

What would be the relevant function to use there, though, would be the escaping function esc_attr().

In testing this out, we found that if you allow lower-level users (with the unfiltered_html capability) access to edit forms, which the plugin allows, the can could cause JavaScript code to run on front-end pages with the form as well as the form preview page in the admin area.

We have notified the developer and offered to help them address this.

Proof of Concept

As a user with the Author role, add a Check Box to a form with the Element Label set to:

" onmouseover="alert(document.cookie);

When scrolling over the check box on a page with the form, an alert box with the me