CVE-2022-2567 The Form Builder CP WordPress plugin before 1.2.32 does not sanitize and escape some of its form settings, which could allow high privilege users to perform Stored Cross-Site Scripting attacks.
When upgrading from older versions of this plugin, users are advised to review and adjust their WordPress configuration per the recommendations outlined in this post. High Risk These issues have been fixed in the 1.2.33 release. We do not believe we have seen active exploitation of this issue. However, due to the risk and criticality of this issue, we feel it is important to outline. When Form Builder was first released, we received reports of an unfiltered_html capability being enabled in some multisite setups. This capability can only be enabled if the server has the mod_security module enabled. Due
Form Builder: Add-on Feature
Form builder is an add-on feature for the WordPress form builder plugin that allows users to create forms that load up a page of pre-filled fields. This means you can build forms quickly and easily by simply adding data from one or more WordPress tables into a single form, or building forms with custom fields.
This add-on provides additional features for Form Builder, including:
* Automatic field validation
* Custom fields & labels
* Field formatting & styling
* Uploading files & attachments
What is WordPress' unfiltered_html capability?
The unfiltered_html capability allows for the use of .htaccess files to restrict file uploads from a web server.
How to check if your server has mod_security enabled
Before updating to the 1.2.33 release, we recommend checking if your server has mod_security enabled. In order to do this, go to your WordPress Dashboard and look for the Security tab. If you're using a multisite installation, you'll have a second Security tab called Plugins.
If you're on a single site install, plugin security will be visible at Settings > All Settings > Plugins 
You should see a list of active plugins and their status (enabled or disabled). If you see "unfiltered_html" listed as enabled in any of these places, please review the recommended actions below.
Unauthenticated Remote Code Execution
There are a number of critical security vulnerabilities in the Form Builder plugin, which can be exploited by an attacker to gain overall control of WordPress installations on websites running this plugin. When upgrading from older versions of this plugin, users are advised to review and adjust their WordPress configuration per the recommendations outlined in this post.
What is WordPress Form Builder?
Form Builder is a plugin for WordPress which allows your website visitors to create new forms that can be filled out and submitted via email. This results in a more interactive website as each form can have its own unique layout and design.
The capability unfiltered_html was enabled on some installations of Form Builder and was not intended to be active by default. If your server has the mod_security module enabled, you may see this capability enabled in some multisite setups.  The unfiltered_html feature provides the ability to allow HTML markup in fields that would normally only accept text input (e.g. email field). It is highly recommended to disable this feature if you are using Form Builder in a multisite setup where users may be able to view others' submissions without logging in or having an account on your site.
Timeline
Published on: 09/19/2022 14:15:00 UTC
Last modified on: 09/21/2022 06:26:00 UTC