Contact Form Lead Form Elementor Builder
Monthly
A Stored Cross-Site Scripting (XSS) vulnerability exists in ThemeHunk's Contact Form & Lead Form Elementor Builder plugin for WordPress, affecting all versions through 2.0.1. An attacker can inject malicious scripts into form fields that are stored in the database and executed in the browsers of administrators or other users who view the submitted data, potentially leading to account takeover, data theft, or malware distribution. No CVSS score or EPSS data is currently available, and active exploitation status is unknown; however, the vulnerability is confirmed by Patchstack and tracked under ENISA EUVD-2026-15903.
The Responsive Contact Form Builder & Lead Generation Plugin WordPress plugin before 1.9.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A Stored Cross-Site Scripting (XSS) vulnerability exists in ThemeHunk's Contact Form & Lead Form Elementor Builder plugin for WordPress, affecting all versions through 2.0.1. An attacker can inject malicious scripts into form fields that are stored in the database and executed in the browsers of administrators or other users who view the submitted data, potentially leading to account takeover, data theft, or malware distribution. No CVSS score or EPSS data is currently available, and active exploitation status is unknown; however, the vulnerability is confirmed by Patchstack and tracked under ENISA EUVD-2026-15903.
The Responsive Contact Form Builder & Lead Generation Plugin WordPress plugin before 1.9.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.