Form Builder Cp
Monthly
Stored Cross-Site Scripting in the Form Builder CP WordPress plugin (all versions before 1.2.47) allows authenticated users holding Editor-level access or above to inject persistent malicious scripts via unsanitized form configuration values, which execute in every visitor's browser upon rendering the affected form. Critically, this attack succeeds even when WordPress's `unfiltered_html` capability has been revoked - a control that multisite administrators commonly rely on to prevent exactly this class of injection from Editor-level roles. A publicly available exploit exists per WPScan, though no confirmed active exploitation (CISA KEV) has been recorded and the EPSS score of 0.19% (9th percentile) reflects limited automated mass exploitation at time of analysis.
The Form Builder CP plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter of the 'CP_EASY_FORM_WILL_APPEAR_HERE' shortcode in all versions up to, and including, 1.2.41 due to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.
Stored Cross-Site Scripting in the Form Builder CP WordPress plugin (all versions before 1.2.47) allows authenticated users holding Editor-level access or above to inject persistent malicious scripts via unsanitized form configuration values, which execute in every visitor's browser upon rendering the affected form. Critically, this attack succeeds even when WordPress's `unfiltered_html` capability has been revoked - a control that multisite administrators commonly rely on to prevent exactly this class of injection from Editor-level roles. A publicly available exploit exists per WPScan, though no confirmed active exploitation (CISA KEV) has been recorded and the EPSS score of 0.19% (9th percentile) reflects limited automated mass exploitation at time of analysis.
The Form Builder CP plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter of the 'CP_EASY_FORM_WILL_APPEAR_HERE' shortcode in all versions up to, and including, 1.2.41 due to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.