Description
This alert may be a false positive, manual confirmation is required.
A HTML form was found in this page that looks susceptible to spam attacks. The form has a hidden input form with an email address as value. This is usually an indication that the recipient of an email sending form is hardcoded in a hidden input form. If that's the case this allows malicious users to send email messages using your server without authorization by changing the input value. A malicious spammer could use this tactic to send large numbers of messages anonymously.
Remediation
The recipient of a email sending form should not be hardcoded in a hidden input value because hidden inputs are controlled by the client. The value should be set on the server side.
Related Vulnerabilities
WordPress Plugin Appointment Booking Calendar CSV Injection (1.3.34)
Multiple vulnerabilities reported in Parallels Plesk Sitebuilder
WordPress Plugin Login by Auth0 Multiple Vulnerabilities (3.11.3)
RubyGems Improper Input Validation Vulnerability (CVE-2018-1000077)
Squid Improper Input Validation Vulnerability (CVE-2016-2390)