Freeform, Free Execution: Stored XSS in Craft CMS's Favorite Form Builder
Vulnerability ID: GHSA-JP3Q-WWP3-PWV9
CVSS Score: 8.2
Published: 2026-01-22
A high-severity Stored Cross-Site Scripting (XSS) vulnerability in the Solspace Freeform plugin for Craft CMS allows low-privileged users to hijack administrator sessions via the Control Panel.
TL;DR
The Solspace Freeform plugin (versions <= 5.14.6) for Craft CMS contains a Stored XSS vulnerability in its Form Builder and Integrations views. Because the plugin renders user-controlled labels and SVG icons using React's dangerouslySetInnerHTML without sanitization, an attacker with basic 'edit form' permissions can inject malicious JavaScript. When an administrator views the compromised form builder, the script executes, leading to session hijacking and potential full site takeover.
⚠️ Exploit Status: POC
Technical Details
- Vulnerability Type: Stored Cross-Site Scripting (XSS)
- Attack Vector: Network (Authenticated)
- Severity: High / Critical (Context Dependent)
- Component: Freeform Control Panel (Form Builder & Integrations)
- Root Cause: Unsanitized dangerouslySetInnerHTML usage
- Authentication Required: Yes (Low Privilege)
Affected Systems
- Craft CMS
- Solspace Freeform Plugin
-
solspace/craft-freeform: <= 5.14.6 (Fixed in:
5.14.7)
Exploit Details
- GitHub Advisory: Advisory containing PoC steps for label and integration icon XSS.
Mitigation Strategies
- Update plugin to patched version
- Implement Content Security Policy (CSP)
- Restrict user permissions for Form Builder access
- Deploy WAF rules to block HTML injection
Remediation Steps:
- Access your Craft CMS project terminal.
- Run
composer require solspace/craft-freeform:^5.14.7. - Run
./craft migrate/allto ensure all database migrations are applied. - Verify the update by checking the plugin version in the Control Panel.
References
Read the full report for GHSA-JP3Q-WWP3-PWV9 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)