Skip to main content

Form Vibes Save Contact Form 7 Elementor Form Entries To Database

1 CVEs product

Monthly

CVE-2026-13378 HIGH This Week

Stored cross-site scripting in the Form Vibes - Database Manager for Forms WordPress plugin (all versions through 1.5.2) lets unauthenticated attackers persist malicious JavaScript by submitting a crafted Contact Form 7 field, which the plugin stores and later renders unescaped in the WordPress admin entries view. Because sanitization and output escaping are both insufficient, the injected script executes in the browser of any user (typically a logged-in administrator) who opens the captured submissions. No public exploit is identified at time of analysis and it is not listed in CISA KEV, but the unauthenticated, no-privilege injection vector combined with scope-changing impact makes it a practical account-takeover risk for exposed sites.

WordPress XSS Form Vibes Save Contact Form 7 Elementor Form Entries To Database
NVD
CVSS 3.1
7.2
EPSS
0.2%
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the Form Vibes - Database Manager for Forms WordPress plugin (all versions through 1.5.2) lets unauthenticated attackers persist malicious JavaScript by submitting a crafted Contact Form 7 field, which the plugin stores and later renders unescaped in the WordPress admin entries view. Because sanitization and output escaping are both insufficient, the injected script executes in the browser of any user (typically a logged-in administrator) who opens the captured submissions. No public exploit is identified at time of analysis and it is not listed in CISA KEV, but the unauthenticated, no-privilege injection vector combined with scope-changing impact makes it a practical account-takeover risk for exposed sites.

WordPress XSS Form Vibes Save Contact Form 7 Elementor Form Entries To Database
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy