CVE-2024-1905: 
WordPress vulnerability analysis and mitigation

The Smart Forms WordPress plugin before version 2.6.96 contains a stored Cross-Site Scripting (XSS) vulnerability. The plugin fails to properly sanitize and escape some of its settings, which could allow high-privilege users such as administrators to perform Stored XSS attacks even when the unfiltered_html capability is disallowed, such as in multisite setups (WPScan, NVD).

The vulnerability exists in the form editing functionality where certain fields lack proper input sanitization. Specifically, the CSS field and the 'After Submit' section's 'Show Alert Message' field are vulnerable to XSS payload injection. When a high-privilege user enters malicious JavaScript code in these fields, the code gets stored and later executed when the form is viewed (WPScan).

The vulnerability allows authenticated users with high privileges to store and execute arbitrary JavaScript code through the affected form fields. This could potentially lead to client-side attacks against other users who view the form, even in environments where unfiltered HTML is typically restricted (WPScan).

The vulnerability has been patched in Smart Forms version 2.6.96. Users are advised to update to this version or later to mitigate the risk. No alternative workarounds have been published (WPScan).