CVE-2017-18600

The formcraft3 plugin before 3.4 for WordPress has stored XSS via the “New Form > Heading > Heading Text” field.
Source: NIST
CVE-2017-18600