What is the CVSS score of EUVD-2026-36700?

EUVD-2026-36700 has a CVSS 3.1 base score of 5.4 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. EPSS exploitation probability: 0.2%.

Is there a public PoC exploit available for EUVD-2026-36700?

Yes, a public proof-of-concept exploit is available for EUVD-2026-36700. Prioritise patching immediately. EPSS: 0.2%.

Is there a patch available for EUVD-2026-36700?

Yes, a patch is available for EUVD-2026-36700. Update the affected software to the latest version immediately.

Form Builder CP EUVD-2026-36700

| CVE-2026-9278 MEDIUM

2026-06-15 WPScan

GHSA-x9r5-r92q-89hf

XSS WordPress Form Builder Cp

5.4

CVSS 3.1 · Vendor: WPScan

Severity by source

Vendor (WPScan) PRIMARY

5.4 MEDIUM

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

vuln.today AI

5.4 MEDIUM

PR:L reflects required Editor-level authentication; S:C and C:L/I:L capture cross-browser script execution impact; UI:R required as victim must load the affected form page.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (WPScan).

CVSS VectorVendor: WPScan

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Jun 15, 2026 - 16:23 vuln.today

CVSS changed

Jun 15, 2026 - 16:22 NVD

5.4 (MEDIUM)

Patch available

Jun 15, 2026 - 09:01 EUVD

CVE Published

Jun 15, 2026 - 06:00 cve.org

MEDIUM 5.4

CVE Published

Jun 15, 2026 - 06:00 cve.org

UNKNOWN (no severity yet)

DescriptionCVE.org

The Form Builder CP WordPress plugin before 1.2.47 does not properly sanitize a form configuration value before storing it and using it as part of a client-side script execution, allowing authenticated users with Editor-level access and above to perform Stored Cross-Site Scripting attacks against any visitor of a page rendering the affected form, even when the unfiltered_html capability is disallowed (e.g. in a multisite network).

AnalysisAI

Stored Cross-Site Scripting in the Form Builder CP WordPress plugin (all versions before 1.2.47) allows authenticated users holding Editor-level access or above to inject persistent malicious scripts via unsanitized form configuration values, which execute in every visitor's browser upon rendering the affected form. Critically, this attack succeeds even when WordPress's unfiltered_html capability has been revoked - a control that multisite administrators commonly rely on to prevent exactly this class of injection from Editor-level roles. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Obtain or compromise Editor-level WordPress credentials

Delivery

Access Form Builder CP plugin and open form configuration

Exploit

Inject malicious JavaScript into unsanitized configuration field

Install

Payload persisted to WordPress database

Victim navigates to page rendering the affected form

Execute

Injected script executes in victim browser

Impact

Session token exfiltrated or victim browser co-opted for further attacks