CVE-2026-9278

MEDIUM

Form Builder CP < 1.2.47 - Editor+ Stored XSS via form_structure

Title source: cna
STIX 2.1

Description

The Form Builder CP WordPress plugin before 1.2.47 does not properly sanitize a form configuration value before storing it and using it as part of a client-side script execution, allowing authenticated users with Editor-level access and above to perform Stored Cross-Site Scripting attacks against any visitor of a page rendering the affected form, even when the `unfiltered_html` capability is disallowed (e.g. in a multisite network).

References (1)

Core 1
Core References
Exploit exploit vdb-entry technical-description
https://wpscan.com/vulnerability/b306b6f1-ca34-495f-a823-6e8f66e343d7/

Scores

CVSS v3 5.4
EPSS 0.0016
EPSS Percentile 5.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

Status published
Products (1)
None/Form Builder CP < 1.2.47
Published Jun 15, 2026
Tracked Since Jun 15, 2026