Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Unauthenticated public submission gives PR:N/AV:N/AC:L, but the stored payload only fires when an admin views entries, so UI:R; scope change (S:C) as script runs in the admin browser context with limited C/I impact and no availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Form Vibes - Database Manager for Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Contact Form 7 Form Field in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Articles & Coverage 1
AnalysisAI
Stored cross-site scripting in the Form Vibes - Database Manager for Forms WordPress plugin (all versions through 1.5.2) lets unauthenticated attackers persist malicious JavaScript by submitting a crafted Contact Form 7 field, which the plugin stores and later renders unescaped in the WordPress admin entries view. Because sanitization and output escaping are both insufficient, the injected script executes in the browser of any user (typically a logged-in administrator) who opens the captured submissions. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target WordPress site runs Form Vibes (≤1.5.2) with the Contact Form 7 integration enabled and a publicly reachable CF7 form whose submissions are captured to the database - the injection is delivered through that CF7 form field, so a working CF7 form wired into Form Vibes is the concrete prerequisite. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N (7.2, High) reflects a network-reachable, low-complexity, unauthenticated injection with a scope change, consistent with stored XSS whose payload executes in the privileged admin context. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker submits a public Contact Form 7 form on a site running Form Vibes, placing a JavaScript payload (for example an event-handler attribute or script tag) into a form field. Form Vibes stores the unsanitized value, and when a site administrator later opens the Form Vibes submissions view the payload executes in their authenticated browser session, enabling session/cookie theft, creation of a rogue admin account, or other actions in the admin context. … |
| Remediation | No vendor-released patched version is stated in the available data - all versions up to and including 1.5.2 are affected - so no fixed release number can be confirmed; a WordPress.org changeset (https://plugins.trac.wordpress.org/changeset?reponame=&old=3599917%40form-vibes&new=3597349%40form-vibes) is referenced and may correspond to an upstream fix, but a tagged patched version is not independently confirmed. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all WordPress instances running Form Vibes; assess active usage and review admin audit logs for suspicious entry-view activity. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43147
GHSA-r6rx-xwfp-wpj4