Form Vibes Save Contact Form 7 Elementor Form Entries To Database
Monthly
Stored cross-site scripting in the Form Vibes - Database Manager for Forms WordPress plugin (all versions through 1.5.2) lets unauthenticated attackers persist malicious JavaScript by submitting a crafted Contact Form 7 field, which the plugin stores and later renders unescaped in the WordPress admin entries view. Because sanitization and output escaping are both insufficient, the injected script executes in the browser of any user (typically a logged-in administrator) who opens the captured submissions. No public exploit is identified at time of analysis and it is not listed in CISA KEV, but the unauthenticated, no-privilege injection vector combined with scope-changing impact makes it a practical account-takeover risk for exposed sites.
Stored cross-site scripting in the Form Vibes - Database Manager for Forms WordPress plugin (all versions through 1.5.2) lets unauthenticated attackers persist malicious JavaScript by submitting a crafted Contact Form 7 field, which the plugin stores and later renders unescaped in the WordPress admin entries view. Because sanitization and output escaping are both insufficient, the injected script executes in the browser of any user (typically a logged-in administrator) who opens the captured submissions. No public exploit is identified at time of analysis and it is not listed in CISA KEV, but the unauthenticated, no-privilege injection vector combined with scope-changing impact makes it a practical account-takeover risk for exposed sites.