CVE-2023-6828: 
WordPress vulnerability analysis and mitigation

The Contact Form, Survey & Popup Form Plugin for WordPress – ARForms Form Builder plugin is vulnerable to Stored Cross-Site Scripting (XSS) via the 'arf_http_referrer_url' parameter in versions up to and including 1.5.8. This vulnerability was discovered and disclosed in January 2024 (NVD).

The vulnerability stems from insufficient input sanitization and output escaping in the plugin's handling of the 'arf_http_referrer_url' parameter. This security flaw allows unauthenticated attackers to inject arbitrary web scripts that execute whenever a user accesses an injected page. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) by NIST and 7.2 (High) by Wordfence, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows attackers to inject malicious scripts that execute in users' browsers when they visit affected pages. This can lead to potential data theft, session hijacking, or other client-side attacks targeting users of the WordPress site running the vulnerable plugin version (NVD).

Site administrators running ARForms Form Builder plugin versions 1.5.8 or earlier should immediately update to the latest version of the plugin that includes patches for this vulnerability (NVD).