CVE-2020-10385: 
WordPress vulnerability analysis and mitigation

A stored cross-site scripting (XSS) vulnerability was discovered in the WPForms Contact Form (aka wpforms-lite) plugin versions before 1.5.9 for WordPress. The vulnerability was identified on March 5, 2020, and assigned CVE-2020-10385. WPForms is a popular WordPress forms plugin with over 3 million active installations (Astra Blog, Researcher Blog).

The vulnerability exists in the Form Description and Field Description fields within the WPForms plugin's Form Builder module, which failed to properly sanitize user input. The issue was classified as a stored XSS vulnerability with a CVSS v3.1 base score of 5.4 (Medium), requiring low privileges and user interaction. The vulnerability also affected the form builder's preview function, which was vulnerable to reflected XSS (NVD, Researcher Blog).

While classified as an authenticated XSS vulnerability, the impact could be significant in WordPress multisite installations. Attackers could potentially exploit this vulnerability to steal super admin session cookies, redirect administrators to phishing pages, perform unauthorized actions on behalf of victims, or compromise login credentials (Astra Blog).

The vulnerability was patched in WPForms version 1.5.9, released on March 5, 2020. Users are strongly recommended to update to this version or later, which includes improved data sanitization to prevent XSS attacks (WPForms Changelog).