CVE-2022-23179: 
WordPress vulnerability analysis and mitigation

The Contact Form & Lead Form Elementor Builder WordPress plugin before version 1.7.0 contains a Cross-Site Scripting (XSS) vulnerability. This security issue was discovered and reported on January 5, 2022, and was assigned the identifier CVE-2022-23179. The vulnerability affects the form fields functionality of the plugin, specifically when handling user input in form attributes (WPScan).

The vulnerability stems from improper input sanitization where the plugin fails to escape some of its form fields before outputting them in attributes. This creates a Cross-Site Scripting (XSS) vulnerability, classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS v3.1 base score is 4.8 (Medium), with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. This could potentially lead to unauthorized script execution in the context of other users' browsers who access the affected forms (WPScan).

The vulnerability has been fixed in version 1.7.0 of the Contact Form & Lead Form Elementor Builder plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).