CVE-2026-9278
Description
Stored XSS in Form Builder CP plugin before 1.2.47 allows Editor+ users to inject scripts via form configuration, affecting all visitors.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Form Builder CP plugin before 1.2.47 allows Editor+ users to inject scripts via form configuration, affecting all visitors.
Vulnerability
The Form Builder CP WordPress plugin versions before 1.2.47 fail to properly sanitize a form configuration value before storing it and using it as part of client-side script execution. This allows authenticated users with Editor-level access or above to inject arbitrary JavaScript into the form configuration, which is then rendered on any page displaying the affected form [1].
Exploitation
An attacker needs only Editor-level access to the WordPress site. They can craft a malicious form configuration value containing JavaScript payloads. When a visitor loads a page that includes the form, the stored script executes in the visitor's browser. The vulnerability is exploitable even when the unfiltered_html capability is disallowed, such as in multisite networks [1].
Impact
Successful exploitation results in Stored Cross-Site Scripting (XSS), allowing the attacker to execute arbitrary JavaScript in the context of any visitor's browser. This can lead to session hijacking, data theft, defacement, or further compromise of the affected site [1].
Mitigation
The vulnerability is fixed in version 1.2.47 of the Form Builder CP plugin. Users should update to this version immediately. No workarounds are documented in the available references [1].
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<1.2.47+ 1 more
- (no CPE)range: <1.2.47
- (no CPE)range: <1.2.47
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Improper sanitization of a form configuration value before storage and client-side script execution allows stored cross-site scripting."
Attack vector
An authenticated attacker with Editor-level access or above crafts a malicious form configuration value containing JavaScript payloads. Because the plugin does not sanitize this value before storing it and later injecting it into client-side script execution, the payload is stored in the database. Any visitor who loads a page that renders the affected form will execute the attacker's script, achieving Stored Cross-Site Scripting (XSS). This attack works even when the `unfiltered_html` capability is disallowed, such as in a multisite network [ref_id=1].
Affected code
The Form Builder CP WordPress plugin before version 1.2.47 fails to properly sanitize a form configuration value (`form_structure`) before storing it and later using it as part of a client-side script execution. The vulnerability resides in the plugin's handling of form configuration data that is rendered on pages displaying the affected form.
What the fix does
The advisory indicates the fix is included in version 1.2.47 of the plugin [ref_id=1]. The patch does not show the specific code changes, but the remediation involves properly sanitizing the form configuration value before storing it and before using it in client-side script execution, preventing injection of arbitrary JavaScript.
Preconditions
- authAttacker must be authenticated with Editor-level access or above to the WordPress site.
- configThe site must have the Form Builder CP plugin installed and active with a version before 1.2.47.
- networkA page containing the affected form must be rendered to a visitor for the stored payload to execute.
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.