Dave discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Super Special Form Plugin to Patchstack.
Reflected Cross Site Scripting (XSS) is possible in this plugin which makes it possible to get the document.cookie and perform other reflected XSS attack types, such as the ability to redirect the user to another domain name or execute a JavaScript file.
While logged in as an administrator, visit the URL /wp-admin/?super_special=%3Cimg%20src%3d1%20onerror%3dalert(document.cookie)%3E&id=1. As it is a reflected XSS attack, some kind of social engineering attack would be required for successful exploitation.
No files were uploaded by the researcher.