Description
WordPress Contact Form Builder 1.6.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting the form_id parameter. Attackers can craft malicious URLs to code_generator.php with script payloads in the form_id parameter to execute arbitrary JavaScript in victim browsers.
Published: 2026-05-10
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a reflected cross‑site scripting flaw in WordPress Contact Form Builder 1.6.1. It is classified as CWE‑79 and allows attackers to inject JavaScript by supplying a malicious value in the form_id request parameter. When a victim loads the generated URL, the script runs in their browser, enabling the attacker to steal session cookies, deface pages, or redirect users to phishing sites.

Affected Systems

The affected product is wpdevart’s Contact Form Builder plugin for WordPress with the vulnerable release 1.6.1. No other vendors or versions are listed as impacted.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. The EPSS score is not available and the vulnerability is not cataloged in CISA KEV, suggesting limited known exploitation. Attackers can exploit the flaw by accessing an unauthenticated, crafted URL targeting code_generator.php. The compromise is client‑side and requires victims to visit the malicious link; the attacker can then execute arbitrary JavaScript in those browsers.

Generated by OpenCVE AI on May 10, 2026 at 13:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Contact Form Builder to the latest available version that removes the reflected XSS flaw.
  • If the plugin is not required, uninstall or disable it entirely to eliminate the attack surface.
  • Implement input validation or sanitization for the form_id parameter and restrict direct access to code_generator.php, for example by using .htaccess rules or a security plugin that enforces safe scripting.

Generated by OpenCVE AI on May 10, 2026 at 13:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpdevart
Wpdevart contact Form Builder
Vendors & Products Wordpress
Wordpress wordpress
Wpdevart
Wpdevart contact Form Builder

Sun, 10 May 2026 12:45:00 +0000

Type Values Removed Values Added
Description WordPress Contact Form Builder 1.6.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting the form_id parameter. Attackers can craft malicious URLs to code_generator.php with script payloads in the form_id parameter to execute arbitrary JavaScript in victim browsers.
Title WordPress Contact Form Builder 1.6.1 Cross-Site Scripting via code_generator.php
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Wordpress Wordpress
Wpdevart Contact Form Builder
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-10T12:12:53.644Z

Reserved: 2026-01-11T13:34:26.332Z

Link: CVE-2022-50959

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-10T13:16:33.570

Modified: 2026-05-10T13:16:33.570

Link: CVE-2022-50959

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T13:30:12Z

Weaknesses