CVE-2023-6842: 
WordPress vulnerability analysis and mitigation

The Formidable Forms WordPress plugin (versions up to 6.7) contains a Stored Cross-Site Scripting vulnerability (CVE-2023-6842) discovered in January 2024. The vulnerability exists in the name field label and description field label parameter due to insufficient input sanitization and output escaping (NVD).

The vulnerability allows authenticated attackers with administrator-level access to inject arbitrary web scripts that execute when users access affected pages. By default, this primarily affects multi-site installations and installations where unfiltered_html has been disabled. The vulnerability received a CVSS v3.1 base score of 4.8 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N from NIST, and 4.4 (Medium) from Wordfence (NVD).

When exploited, the vulnerability allows attackers to inject malicious scripts that execute in users' browsers when they access compromised pages. While the impact is limited by the requirement of administrator-level access, the vulnerability can potentially affect lower-level users if they have been granted specific form management permissions through the formidable settings (NVD).

Users should upgrade to a version newer than 6.7 of the Formidable Forms plugin to address this vulnerability. The fix has been implemented through improved input sanitization and output escaping (NVD).