The vulnerability arises because the plugin does not properly neutralize user‑supplied content before storing it in the database. This omission allows an attacker to submit form data that contains malicious script, which is then persisted and rendered on the site whenever the form page is viewed. The injected code runs in the browser of any user who visits the affected page, potentially enabling a range of attacks such as defacement or the execution of additional malicious payloads. The severity of the issue stems from the fact that the malicious content is stored permanently and can affect all visitors to the form page.

WordPress installations that use the ThemeHunk Contact Form & Lead Form Elementor Builder plugin in any version from its earliest release through 2.0.1. The plugin is distributed for use within the Elementor page builder environment and is commonly deployed on sites that require customizable forms.

The CVSS score of 7.1 indicates a moderate severity. The exploitability is high because an attacker only needs the ability to submit data to the form; no authentication or advanced techniques are required. The attack path is straightforward: submit malicious input, have it stored, and then have it executed for each subsequent page visit. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the impact could be observed in any visitor’s browser that loads the compromised form page.