It is important that you observe the web application even if it's based on a third-party CMS, as in this case; the CMS was WordPress and the main vulnerability was the Formidable plugin
The original report was very detailed and very descriptive, which helped the team verify the vulnerability very quickly; we should also follow the same approach
The vulnerability originally was an HTML-stored injection flaw that was chained into an SQL injection vulnerability; a similar approach should be used in other vulnerability replications