CVE-2026-13378

WPVibes · Form Vibes – Save Contact Form 7 & Elementor Form Entries to Database

The Form Vibes WordPress plugin is vulnerable to stored cross-site scripting (XSS) via Contact Form 7 form fields.

Executive summary

The Form Vibes WordPress plugin is susceptible to stored cross-site scripting, enabling attackers to execute arbitrary scripts in the WordPress dashboard.

Vulnerability

This is a stored XSS vulnerability (CWE-79) occurring due to failure to neutralize user-supplied input within form fields before storing and rendering them in the database manager. The attack vector is unauthenticated (PR:N).

Business impact

An attacker can store malicious JavaScript in form submissions, which will then execute when an administrator views the entries in the WordPress dashboard. This can lead to administrative account takeover, site-wide script execution, or unauthorized configuration changes, justifying the 7.2 CVSS score.

Remediation

Immediate Action: Update the "Form Vibes" plugin to version 1.5.3 or later.

Proactive Monitoring: Regularly audit the form submission database for suspicious scripts or unexpected characters in entry fields.

Compensating Controls: Use a Web Application Firewall (WAF) to block requests containing common XSS vectors before they reach the plugin's submission handler.

Exploitation status

Public Exploit Available: No

Analyst recommendation

The vulnerability poses a high risk to administrative integrity. It is recommended to apply the 1.5.3 update immediately. If the plugin is not actively used, it should be removed to minimize the attack surface of the WordPress installation.