CVE-2023-5530: 
WordPress vulnerability analysis and mitigation

The Ninja Forms Contact Form WordPress plugin before version 3.6.34 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2023-5530. The vulnerability exists due to insufficient sanitization and escaping of label fields, affecting WordPress installations using the Ninja Forms plugin versions prior to 3.6.34 (NVD, WPScan).

The vulnerability stems from improper sanitization and escaping of label fields in the plugin. It has been assigned a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified under CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

The vulnerability allows high-privilege users with unfiltered_html capability to perform Stored XSS attacks. While these users already have permissions to use JavaScript in posts and comments, the vulnerability creates additional attack vectors through form label fields. The XSS payload can be triggered both when viewing the form in the frontend and when editing the form in the backend (WPScan).

The vulnerability has been fixed in Ninja Forms version 3.6.34. Users are advised to update to this version or later to mitigate the risk. The fix was acknowledged by the vendor and implemented as part of their security improvements (Ninja Forms Blog).