What the vulnerability does
01Description
The Responsive Contact Form Builder & Lead Generation Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0.1 via form field submissions. This is due to insufficient input sanitization in the lfb_lead_sanitize() function which omits certain field types from its sanitization whitelist, combined with an overly permissive wp_kses() filter at output time that allows onclick attributes on anchor tags. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views the lead entries in the WordPress dashboard.
Explanation of Vulnerability in Simple Terms
02Summary
Lead Form Builder & Contact Form versions up to 2.0.1 contain a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts. The vulnerability affects the form handling logic and can impact multiple users. No user interaction is required for exploitation. Update to a version newer than 2.0.1 to resolve this issue.
What an attacker can do
03Attacker Capabilities
Inject malicious JavaScript that executes in visitors' browsers and affects other users on the site.
Potential impact on your site
04Site Impact
Visitors and other users may have malicious scripts run in their browsers, potentially stealing data or session tokens.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
March 11, 2026
CVE published
April 8, 2026
Record updated