WordPress Plugin Vulnerabilities

Form Builder CP < 1.2.47 - Editor+ Stored XSS via form_structure

Description

The plugin does not properly sanitize a form configuration value before storing it and using it as part of a client-side script execution, allowing authenticated users with Editor-level access and above to perform Stored Cross-Site Scripting attacks against any visitor of a page rendering the affected form, even when the `unfiltered_html` capability is disallowed (e.g. in a multisite network).

Proof of Concept

Affects Plugins

Plugin icon
cp-easy-form-builder
Fixed in 1.2.47

References

CVE
CVE-2026-9278
YouTube Video

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (Low)

Miscellaneous

Original Researcher
Luca Jungnickel
Submitter
Luca Jungnickel
Verified
Yes
WPVDB ID
b306b6f1-ca34-495f-a823-6e8f66e343d7

Timeline

Publicly Published
2026-05-25 (about 21 days ago)
Added
2026-05-25 (about 20 days ago)
Last Updated
2026-05-25 (about 20 days ago)

Other

Published
Title
Published
2021-09-23
Title
YITH Maintenance Mode < 1.4.0 - Multiple Admin+ Stored Cross-Site Scripting
Published
2025-03-02
Title
Slider, Gallery, Carousel by MetaSlider < 3.95.0 - Editor+ Stored XSS
Published
2025-12-12
Title
King Addons for Elementor <= 51.1.39 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
Published
2024-12-30
Title
GS Coaches < 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-03-18
Title
WPB Show Core < 2.7 - Reflected XSS