CVE-2024-7052: 
WordPress vulnerability analysis and mitigation

The Forminator Forms WordPress plugin before version 1.38.3 contains a stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-7052. The vulnerability was discovered by Dmitrii Ignatyev and publicly disclosed on January 24, 2025. This security issue affects the plugin's settings functionality, specifically impacting installations where high-privilege users such as administrators are present (WPScan).

The vulnerability stems from insufficient sanitization and escaping of certain settings within the plugin. This security flaw could be exploited even in scenarios where the unfiltered_html capability is disallowed, such as in multisite setups. The vulnerability has been assigned a CVSS score of 3.5 (low severity) and is classified under CWE-79. It falls under the OWASP Top 10 category A7: Cross-Site Scripting (XSS) (WPScan).

The vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks. This could potentially lead to the execution of malicious JavaScript code in the context of other users' browsers who access the affected forms (WPScan).

The vulnerability has been patched in version 1.38.3 of the Forminator Forms plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).