CVE-2023-3501: 
WordPress vulnerability analysis and mitigation

The FormCraft WordPress plugin before version 1.2.7 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2023-3501. The vulnerability was discovered by Sayandeep Dutta and publicly disclosed on August 2, 2023. This security issue affects the FormCraft form builder plugin for WordPress installations (WPScan, NVD).

The vulnerability stems from improper sanitization and escaping of certain plugin settings. This security flaw exists even when the unfiltered_html capability is disallowed, such as in multisite setups. The vulnerability has been assigned a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The issue is classified as CWE-79 (Cross-Site Scripting) and falls under the OWASP Top 10 category A7: Cross-Site Scripting (XSS) (WPScan, NVD).

When exploited, this vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks. The impact is considered medium severity, with potential for limited confidentiality and integrity breaches (NVD).

The vulnerability has been patched in FormCraft version 1.2.7. Users are advised to update to this version or later to mitigate the security risk (WPScan).