Stored Cross-Site Scripting Vulnerability in Form Vibes Database Manager for Forms Plugin
CVE-2026-13378

7.2HIGH

What is CVE-2026-13378?

The Form Vibes – Database Manager for Forms plugin for WordPress has a vulnerability that allows for stored cross-site scripting (XSS). This arises from inadequate input sanitization and output escaping within the plugin, specifically concerning the Contact Form 7 form field. Attackers can exploit this vulnerability to inject malicious web scripts, which will execute automatically when a user visits an affected web page. This poses significant risks for WordPress users, as it could lead to unauthorized actions and exposure of sensitive data.

Affected Version(s)

Form Vibes – Save Contact Form 7 & Elementor Form Entries to Database 0 <= 1.5.2

References

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Chawabhon Netisingha (JNX03)
.