Stored Cross-Site Scripting (XSS) in "Add Contact" Name Field – MainWP Plugin

While testing the MainWP WordPress plugin (https://github.com/mainwp/mainwp), I discovered a stored XSS vulnerability in the Client Management feature, specifically in the "Add Contact" > Contact Name field. The issue occurs because the application does not sanitize user input before rendering it back into the DOM. As a result, an attacker can inject malicious JavaScript payloads that are stored in the database and later executed in the browser of any user (typically admin) who views the infected client profile. I crafted a payload and inserted it into the Contact Name field while editing a client: `</TITLE><SCRIPT>alert("XSS By Rishail 2025");</SCRIPT>` After saving the changes, the payload got stored as-is, and the JavaScript executed instantly upon reloading the client’s detail page — proving the XSS vulnerability. ## Impact This vulnerability allows an attacker to execute arbitrary JavaScript in the browser of any user who views the affected page, leading to full control of the user’s session and actions. An attacker can exploit this to: - Steal administrator session cookies. - Perform unauthorized actions as an admin (e.g., add malicious clients or plugins). If an attacker stores a malicious script in the Contact Name field, any admin who views or edits that client will unknowingly trigger the payload. This can result in full compromise of the MainWP Dashboard, allowing the attacker to manipulate connected WordPress sites, push fake updates, or leak sensitive client data — causing reputational and operational damage.