A high-severity Stored Cross-Site Scripting (XSS) vulnerability, identified as GHSA-JP3Q-WWP3-PWV9, has been discovered in the Solspace Freeform plugin for Craft CMS. This flaw allows low-privileged users to hijack administrator sessions through the Control Panel, posing a significant security risk. The vulnerability affects versions of the plugin up to and including 5.14.6, where user-controlled labels and SVG icons are rendered without proper sanitization, enabling script injection.

The root cause of this issue lies in the use of React's `dangerouslySetInnerHTML` without adequate sanitization. This oversight means that attackers with basic 'edit form' permissions can inject malicious JavaScript, leading to session hijacking and potential site takeover when administrators view the compromised forms. The vulnerability has a CVSS score of 8.2, indicating a critical level of severity.

To mitigate this risk, users are advised to update to the patched version, 5.14.7, and implement additional security measures such as Content Security Policies and Web Application Firewall rules. Craft CMS administrators should also restrict user permissions for form builder access to limit the potential for exploitation. This incident underscores the importance of rigorous security practices in managing CMS plugins and highlights the need for ongoing vigilance in the face of evolving threats.