What the vulnerability does
01Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeHunk Contact Form & Lead Form Elementor Builder lead-form-builder allows Stored XSS.This issue affects Contact Form & Lead Form Elementor Builder: from n/a through <= 2.0.1.
Explanation of Vulnerability in Simple Terms
02Summary
Contact Form & Lead Form Elementor Builder versions up to 2.0.1 contain a cross-site scripting vulnerability. An attacker can inject malicious scripts that execute in the browsers of site visitors. The vulnerability requires user interaction—typically a victim clicking a malicious link or visiting a compromised page. The impact extends beyond the plugin itself to affect the broader site.
What an attacker can do
03Attacker Capabilities
Inject malicious scripts that run in visitors' browsers, stealing session tokens or redirecting users.
Potential impact on your site
04Site Impact
Visitors' browsers can be compromised; their sessions hijacked or credentials stolen without your knowledge.
Conditions required to exploit
05Prerequisites
No authentication required. Victim must click a link or visit a page containing the malicious payload.
Key dates
06Disclosure timeline
March 25, 2026
CVE published
April 29, 2026
Record updated