Skip to main content

Form Vibes EUVDEUVD-2026-43147

| CVE-2026-13378 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-11 Wordfence GHSA-r6rx-xwfp-wpj4
7.2
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
6.1 MEDIUM

Unauthenticated public submission gives PR:N/AV:N/AC:L, but the stored payload only fires when an admin views entries, so UI:R; scope change (S:C) as script runs in the admin browser context with limited C/I impact and no availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 11, 2026 - 06:23 vuln.today
CVE Published
Jul 11, 2026 - 04:32 nvd
HIGH 7.2

DescriptionCVE.org

The Form Vibes - Database Manager for Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Contact Form 7 Form Field in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored cross-site scripting in the Form Vibes - Database Manager for Forms WordPress plugin (all versions through 1.5.2) lets unauthenticated attackers persist malicious JavaScript by submitting a crafted Contact Form 7 field, which the plugin stores and later renders unescaped in the WordPress admin entries view. Because sanitization and output escaping are both insufficient, the injected script executes in the browser of any user (typically a logged-in administrator) who opens the captured submissions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Locate public Contact Form 7 form
Delivery
Submit form field with malicious script
Exploit
Payload stored unsanitized in database
Execution
Admin opens Form Vibes entries view
Persist
Script executes in admin session
Impact
Hijack session or create rogue admin

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target WordPress site runs Form Vibes (≤1.5.2) with the Contact Form 7 integration enabled and a publicly reachable CF7 form whose submissions are captured to the database - the injection is delivered through that CF7 form field, so a working CF7 form wired into Form Vibes is the concrete prerequisite. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N (7.2, High) reflects a network-reachable, low-complexity, unauthenticated injection with a scope change, consistent with stored XSS whose payload executes in the privileged admin context. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits a public Contact Form 7 form on a site running Form Vibes, placing a JavaScript payload (for example an event-handler attribute or script tag) into a form field. Form Vibes stores the unsanitized value, and when a site administrator later opens the Form Vibes submissions view the payload executes in their authenticated browser session, enabling session/cookie theft, creation of a rogue admin account, or other actions in the admin context. …
Remediation No vendor-released patched version is stated in the available data - all versions up to and including 1.5.2 are affected - so no fixed release number can be confirmed; a WordPress.org changeset (https://plugins.trac.wordpress.org/changeset?reponame=&old=3599917%40form-vibes&new=3597349%40form-vibes) is referenced and may correspond to an upstream fix, but a tagged patched version is not independently confirmed. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all WordPress instances running Form Vibes; assess active usage and review admin audit logs for suspicious entry-view activity. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43147 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy