WP-Safety
CVE-2026-32532

Lead Form Builder & Contact Form <= 2.0.1 - Unauthenticated Stored Cross-Site Scripting

highImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
7.2
CVSS Score
7.2
CVSS Score
high
Severity
2.0.2
Patched in
4d
Time to patch

Description

The Lead Form Builder & Contact Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.0.1
PublishedMarch 23, 2026
Last updatedMarch 26, 2026
Affected pluginlead-form-builder

Source Code

WordPress.org SVN
Vulnerable v2.0.1
Browse source Download .zip
Patched

Patched version not available.

Research Plan
Unverified

This research plan outlines the methodology for exploiting a Stored Cross-Site Scripting (XSS) vulnerability in the **Lead Form Builder & Contact Form** plugin for WordPress. ## 1. Vulnerability Summary The Lead Form Builder & Contact Form plugin (versions <= 2.0.1) fails to properly sanitize user-…

Show full research plan

This research plan outlines the methodology for exploiting a Stored Cross-Site Scripting (XSS) vulnerability in the Lead Form Builder & Contact Form plugin for WordPress.

1. Vulnerability Summary

The Lead Form Builder & Contact Form plugin (versions <= 2.0.1) fails to properly sanitize user-supplied input during the form submission process and fails to escape that data when it is rendered in the WordPress administrative dashboard (specifically the "Lead Form -> Submissions" area). This allows an unauthenticated attacker to submit a form containing malicious JavaScript. When an administrator views the submitted lead, the payload executes in their browser context, potentially leading to session hijacking, administrative account creation, or site takeover.

2. Attack Vector Analysis

  • Endpoint: wp-admin/admin-ajax.php
  • Action: lfb_contact_form_data (registered via wp_ajax_nopriv_lfb_contact_form_data)
  • Vulnerable Parameter: The values within the form submission, typically passed via $_POST['form_data'] (often as a URL-encoded or serialized string) or individual field parameters.
  • Authentication: None required (Unauthenticated).
  • Preconditions: At least one lead form must be created and published on a page.

3. Code Flow (Inferred)

  1. Entry Point: An unauthenticated user sends a POST request to admin-ajax.php with the action lfb_contact_form_data.
  2. Hook Registration: The plugin registers the handler in inc/lfb-ajax-functions.php (or similar):
    add_action( 'wp_ajax_lfb_contact_form_data', 'lfb_contact_form_data_handler' );
add_action( 'wp_ajax_nopriv_lfb_contact_form_data', 'lfb_contact_form_data_handler' );
  3. Data Processing: The handler function (e.g., lfb_contact_form_data_handler) retrieves values from $_POST. It likely iterates through the fields and stores them in the database (either in a custom table like wp_lfb_form_entries or as a custom post type lfb_leads).
  4. Insufficient Sanitization: The code fails to apply sanitize_text_field() or wp_kses() to the submitted values before storage.
  5. Vulnerable Sink: When an admin navigates to the "Lead Form" -> "View Leads" page, the plugin retrieves the entry and outputs it:
    // Inside the admin view template
echo $lead_entry_value; // Missing esc_html()

4. Nonce Acquisition Strategy

The plugin typically enqueues a script for the form frontend. We need to extract the nonce required for the AJAX submission.

  1. Shortcode Identification: The plugin uses the shortcode [lead-form form_id="ID_HERE" title="TITLE"].
  2. Page Creation: Create a test page containing this shortcode to force the plugin to load its assets.
  3. Nonce Extraction:
    • Navigate to the created page using browser_navigate.
    • The plugin localizes data in a variable, often named lfb_data or lfb_vars.
    • JavaScript Execution:
      // Example based on common plugin patterns
return window.lfb_data?.lfb_nonce || document.querySelector('input[name="lfb_nonce"]')?.value;
  4. Note: If the plugin does not verify nonces for unauthenticated submissions (a common practice to avoid issues with caching plugins like WP Rocket), this step can be bypassed. We will verify if check_ajax_referer is present in the handler.

5. Exploitation Strategy

The goal is to inject a payload that fires in the admin dashboard.

Step 1: Form Discovery

Identify the form_id and the field names. If a form is created with ID 1, the fields are usually named sequentially (e.g., field_1, field_2).

Step 2: Submission Payload

We will send a POST request to admin-ajax.php.

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=lfb_contact_form_data&
form_id=1&
field_1=TestUser&
field_2=<script>alert('XSS_SUCCESS_LFB')</script>&
lfb_nonce=[EXTRACTED_NONCE]
    (Note: The exact structure of form_data might be a serialized string. If so, the body would look like: action=lfb_contact_form_data&form_data=name%3DTest%26email%3D...)

Step 3: Triggering XSS

Login as an administrator and navigate to:
http://localhost:8080/wp-admin/admin.php?page=lfb-view-extension (Exact slug may vary, check add_menu_page in source).

6. Test Data Setup

  1. Create Lead Form:
    # Use WP-CLI to ensure at least one form exists (if the plugin uses a CPT for forms)
# Or use browser_navigate to the admin area to create a simple contact form.
  2. Publish Form:
    Create a page with the shortcode:
    wp post create --post_type=page --post_title="Contact" --post_status=publish --post_content='[lead-form form_id="1" title="Contact Us"]'
  3. Identify URL: The page will be at http://localhost:8080/contact.

7. Expected Results

  • The AJAX submission should return a success message (e.g., {"status":"success"} or 1).
  • When an admin views the "Submissions" page, an alert box with XSS_SUCCESS_LFB should appear.
  • In a real-world scenario, the payload would be:
    <script>fetch('/wp-admin/user-new.php').then(r=>r.text()).then(t=>/* extract nonce and create admin */)</script>

8. Verification Steps

  1. Check Database for Payload:
    wp db query "SELECT * FROM wp_posts WHERE post_type='lfb_leads' AND post_content LIKE '%<script>%';"
# OR, if using a custom table:
wp db query "SELECT * FROM wp_lfb_form_entries WHERE field_values LIKE '%<script>%';"
  2. Verify Admin Dashboard Access:
    Use browser_navigate as an admin to the leads list and check for the presence of the <script> tag in the page source via browser_eval.

9. Alternative Approaches

  • Serialized Input: If the plugin expects the data in a specific format (like a serialized PHP string or a JSON object in a single parameter), adjust the http_request body accordingly.
  • File Upload XSS: If the form allows file uploads, check if the "File" field label or filename is rendered unsanitized in the admin area.
  • Form Title XSS: Check if the form_id itself or the title parameter in the submission is reflected in any "Recent Activity" widget on the main Dashboard.

10. Key Files for Analysis

  • lead-form-builder.php: Main entry point and hook registrations.
  • inc/lfb-ajax-functions.php: AJAX handlers for form submission.
  • admin/inc/lfb-admin-functions.php: Functions for rendering leads in the admin area (the sink).
  • inc/lfb-shortcode.php: Shortcode registration and front-end form rendering.
References
https://www.wordfence.com/threat-intel/vulnerabilities/id/4a18cb4a-8458-4337-843e-c3278028230f?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database