Description
The Responsive Contact Form Builder & Lead Generation Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0.1 via form field submissions. This is due to insufficient input sanitization in the lfb_lead_sanitize() function which omits certain field types from its sanitization whitelist, combined with an overly permissive wp_kses() filter at output time that allows onclick attributes on anchor tags. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views the lead entries in the WordPress dashboard.
Published: 2026-03-11
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS enabling script execution for administrators
Action: Patch plugin
AI Analysis

Impact

The Responsive Contact Form Builder & Lead Generation Plugin for WordPress is vulnerable to stored cross‑site scripting due to insufficient sanitization in the lfb_lead_sanitize() function and an overly permissive wp_kses() filter that allows onclick attributes on anchor tags. This flaw permits unauthenticated attackers to submit malicious content via a form field, which is then stored in the database. When a site administrator later views the lead entries in the WordPress dashboard, the stored script is rendered and executed in the admin browser context. The vulnerability is a classic input validation/sanitization defect identified as CWE‑79.

Affected Systems

All WordPress installations that have the themehunk Lead Form Builder & Contact Form plugin version 2.0.1 or earlier are affected. The weakness spans the entire plugin codebase for these versions; any site that accepts form submissions using this plugin is susceptible to the stored XSS vector.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity for confidentiality, integrity, and availability of the administrative session. The EPSS score of less than 1 % suggests a relatively low likelihood of exploitation in the wild at present, and the vulnerability is not listed in the CISA KEV catalog. An attacker only needs an unauthenticated POST to the plugin’s form endpoint; no authentication or privileged access is required. When the stored payload is viewed by an administrator, it executes in their browser, potentially stealing session cookies, defacing the dashboard, or executing arbitrary client‑side code.

Generated by OpenCVE AI on March 17, 2026 at 15:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Lead Form Builder & Contact Form plugin to the latest version
  • If a patch is not immediately available, temporarily disable or uninstall the plugin to prevent new lead submissions
  • Delete any stored lead entries that may contain malicious content to eliminate the XSS vector
  • Review wp_kses and other output filtering rules to ensure that dangerous attributes such as onclick are disallowed
  • Verify that the site’s security monitoring is enabled to detect unexpected script execution in the admin dashboard

Generated by OpenCVE AI on March 17, 2026 at 15:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Themehunk
Themehunk lead Form Builder & Contact Form
Wordpress
Wordpress wordpress
Vendors & Products Themehunk
Themehunk lead Form Builder & Contact Form
Wordpress
Wordpress wordpress

Wed, 11 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
Description The Responsive Contact Form Builder & Lead Generation Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0.1 via form field submissions. This is due to insufficient input sanitization in the lfb_lead_sanitize() function which omits certain field types from its sanitization whitelist, combined with an overly permissive wp_kses() filter at output time that allows onclick attributes on anchor tags. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views the lead entries in the WordPress dashboard.
Title Responsive Contact Form Builder & Lead Generation Plugin <= 2.0.1 - Unauthenticated Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Themehunk Lead Form Builder & Contact Form
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-03-11T13:35:53.834Z

Reserved: 2026-01-26T19:59:41.414Z

Link: CVE-2026-1454

cve-icon Vulnrichment

Updated: 2026-03-11T13:35:49.621Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-11T09:16:12.647

Modified: 2026-03-11T13:52:47.683

Link: CVE-2026-1454

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:37:32Z

Weaknesses