CVE-2024-9768: 
WordPress vulnerability analysis and mitigation

The Formidable Forms WordPress plugin before version 6.14.1 contains a stored Cross-Site Scripting (XSS) vulnerability. This security issue was discovered and reported on October 31, 2024, affecting the free version of the plugin. The vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks, even when the unfiltered_html capability is disallowed, such as in multisite setups (WPScan, NVD).

The vulnerability stems from insufficient sanitization and escaping of certain plugin settings. It has been assigned a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

When exploited, this vulnerability allows authenticated users with administrative privileges to inject and store malicious scripts that can execute when other users access the affected pages. This is particularly concerning in multisite WordPress installations where certain HTML restrictions are typically enforced (WPScan).

The vulnerability has been patched in version 6.14.1 of the Formidable Forms plugin. Users are strongly advised to update to this version or later to mitigate the security risk (WPScan).