CVE-2023-4950: 
WordPress vulnerability analysis and mitigation

The Interactive Contact Form and Multi Step Form Builder WordPress plugin (Funnelforms Free) before version 3.4 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and disclosed in September 2023, affecting all versions of the plugin prior to 3.4. The issue stems from the plugin's failure to properly sanitize and escape certain parameters, potentially exposing WordPress installations to XSS attacks (WPScan).

The vulnerability exists due to improper input validation where the plugin fails to sanitize and escape parameters in form submissions. The issue specifically affects the name field in contact forms, allowing malicious scripts to be stored and executed. The vulnerability has been assigned a CVSS score of 6.1 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility with low attack complexity and no privileges required (NVD).

When exploited, this vulnerability allows unauthenticated users to inject malicious scripts through form submissions. These scripts are stored in the database and executed when administrators view the submissions in the 'Leads' section of the WordPress dashboard, potentially leading to unauthorized actions being performed with administrator privileges (WPScan).

The vulnerability has been patched in version 3.4 of the Funnelforms Free plugin. Site administrators are strongly advised to update to this version or later to protect against potential XSS attacks. If immediate updating is not possible, administrators should carefully monitor form submissions and consider temporarily disabling the plugin until it can be updated (WPScan).