{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32532", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:12:24.776Z", "datePublished": "2026-03-25T16:15:09.742Z", "dateUpdated": "2026-03-25T20:13:17.628Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "lead-form-builder", "product": "Contact Form & Lead Form Elementor Builder", "vendor": "ThemeHunk", "versions": [{"changes": [{"at": "2.0.2", "status": "unaffected"}], "lessThanOrEqual": "<= 2.0.1", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:42.510Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeHunk Contact Form & Lead Form Elementor Builder lead-form-builder allows Stored XSS.<p>This issue affects Contact Form & Lead Form Elementor Builder: from n/a through <= 2.0.1.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeHunk Contact Form & Lead Form Elementor Builder lead-form-builder allows Stored XSS.This issue affects Contact Form & Lead Form Elementor Builder: from n/a through <= 2.0.1."}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "Stored XSS"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:15:09.742Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/lead-form-builder/vulnerability/wordpress-contact-form-lead-form-elementor-builder-plugin-2-0-1-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress Contact Form & Lead Form Elementor Builder plugin <= 2.0.1 - Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32532", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T20:10:42.657377Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:13:17.628Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32532", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T20:10:42.657377Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:02:44.376Z"}}], "cna": {"title": "WordPress Contact Form & Lead Form Elementor Builder plugin <= 2.0.1 - Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "Stored XSS"}]}], "affected": [{"vendor": "ThemeHunk", "product": "Contact Form & Lead Form Elementor Builder", "versions": [{"status": "affected", "changes": [{"at": "2.0.2", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 2.0.1"}], "packageName": "lead-form-builder", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:42.510Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/lead-form-builder/vulnerability/wordpress-contact-form-lead-form-elementor-builder-plugin-2-0-1-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeHunk Contact Form & Lead Form Elementor Builder lead-form-builder allows Stored XSS.This issue affects Contact Form & Lead Form Elementor Builder: from n/a through <= 2.0.1.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeHunk Contact Form & Lead Form Elementor Builder lead-form-builder allows Stored XSS.<p>This issue affects Contact Form & Lead Form Elementor Builder: from n/a through <= 2.0.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:15:09.742Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32532", "state": "PUBLISHED", "dateUpdated": "2026-03-25T20:13:17.628Z", "dateReserved": "2026-03-12T11:12:24.776Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:15:09.742Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeHunk Contact Form & Lead Form Elementor Builder lead-form-builder allows Stored XSS.This issue affects Contact Form & Lead Form Elementor Builder: from n/a through <= 2.0.1."}], "id": "CVE-2026-32532", "lastModified": "2026-03-25T21:16:44.487", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:17:06.727", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/lead-form-builder/vulnerability/wordpress-contact-form-lead-form-elementor-builder-plugin-2-0-1-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T19:16:06.150968+00:00", "value": {"mitigation_remediation": ["Update the Contact Form & Lead Form Elementor Builder plugin to the latest version that includes the XSS fix. If an immediate update is not possible, deactivate or uninstall the plugin to eliminate the attack surface."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress users running ThemeHunk Contact Form & Lead Form Elementor Builder are impacted. All installations of the plugin with a version of 2.0.1 or older are vulnerable, as the issue is present from the earliest published releases up through 2.0.1 inclusive.", "description_and_impact": "The vulnerability is an improper neutralization of input during web page generation that allows attackers to store malicious script code. This stored XSS can execute arbitrary JavaScript when other users view the affected content, enabling session hijacking, credential theft, defacement, or malicious redirects. The weakness is categorized as CWE-79, indicating an input validation flaw that permits reflected or stored script injection.", "risk_and_exploitability": "The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, so publicly measured exploitation likelihood is unknown. However, the stored XSS vector is typically exploitable by submitting malicious input through the plugin\u2019s form interfaces, which is a common attack surface. Because the flaw resides in the plugin\u2019s input handling, the attack likely requires administrative access to the WordPress dashboard or unauthenticated users who can submit through a publicly exposed form. No additional information about CVSS severity is supplied, so the exact risk rating cannot be established from the data provided."}}}}, "created": "2026-03-25T21:47:08.748627+00:00", "updated": "2026-03-25T21:47:08.748661+00:00", "vendors": []}