[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$frrFpNNtqDSNHekRz7vBTDaX4bLRS58wtwAGd7KxBw2Q":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":29},"CVE-2026-32532","lead-form-builder-contact-form-unauthenticated-stored-cross-site-scripting","Lead Form Builder & Contact Form \u003C= 2.0.1 - Unauthenticated Stored Cross-Site Scripting","The Lead Form Builder & Contact Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","lead-form-builder",null,"\u003C=2.0.1","2.0.2","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-23 00:00:00","2026-03-26 20:28:08",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F4a18cb4a-8458-4337-843e-c3278028230f?source=api-prod",4,[],"researched",false,3,"This research plan outlines the methodology for exploiting a Stored Cross-Site Scripting (XSS) vulnerability in the **Lead Form Builder & Contact Form** plugin for WordPress.\n\n## 1. Vulnerability Summary\nThe Lead Form Builder & Contact Form plugin (versions \u003C= 2.0.1) fails to properly sanitize user-supplied input during the form submission process and fails to escape that data when it is rendered in the WordPress administrative dashboard (specifically the \"Lead Form -> Submissions\" area). This allows an unauthenticated attacker to submit a form containing malicious JavaScript. When an administrator views the submitted lead, the payload executes in their browser context, potentially leading to session hijacking, administrative account creation, or site takeover.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n- **Action:** `lfb_contact_form_data` (registered via `wp_ajax_nopriv_lfb_contact_form_data`)\n- **Vulnerable Parameter:** The values within the form submission, typically passed via `$_POST['form_data']` (often as a URL-encoded or serialized string) or individual field parameters.\n- **Authentication:** None required (Unauthenticated).\n- **Preconditions:** At least one lead form must be created and published on a page.\n\n## 3. Code Flow (Inferred)\n1. **Entry Point:** An unauthenticated user sends a POST request to `admin-ajax.php` with the action `lfb_contact_form_data`.\n2. **Hook Registration:** The plugin registers the handler in `inc\u002Flfb-ajax-functions.php` (or similar):\n   ```php\n   add_action( 'wp_ajax_lfb_contact_form_data', 'lfb_contact_form_data_handler' );\n   add_action( 'wp_ajax_nopriv_lfb_contact_form_data', 'lfb_contact_form_data_handler' );\n   ```\n3. **Data Processing:** The handler function (e.g., `lfb_contact_form_data_handler`) retrieves values from `$_POST`. It likely iterates through the fields and stores them in the database (either in a custom table like `wp_lfb_form_entries` or as a custom post type `lfb_leads`).\n4. **Insufficient Sanitization:** The code fails to apply `sanitize_text_field()` or `wp_kses()` to the submitted values before storage.\n5. **Vulnerable Sink:** When an admin navigates to the \"Lead Form\" -> \"View Leads\" page, the plugin retrieves the entry and outputs it:\n   ```php\n   \u002F\u002F Inside the admin view template\n   echo $lead_entry_value; \u002F\u002F Missing esc_html()\n   ```\n\n## 4. Nonce Acquisition Strategy\nThe plugin typically enqueues a script for the form frontend. We need to extract the nonce required for the AJAX submission.\n\n1. **Shortcode Identification:** The plugin uses the shortcode `[lead-form form_id=\"ID_HERE\" title=\"TITLE\"]`.\n2. **Page Creation:** Create a test page containing this shortcode to force the plugin to load its assets.\n3. **Nonce Extraction:**\n   - Navigate to the created page using `browser_navigate`.\n   - The plugin localizes data in a variable, often named `lfb_data` or `lfb_vars`.\n   - **JavaScript Execution:**\n     ```javascript\n     \u002F\u002F Example based on common plugin patterns\n     return window.lfb_data?.lfb_nonce || document.querySelector('input[name=\"lfb_nonce\"]')?.value;\n     ```\n4. **Note:** If the plugin does not verify nonces for unauthenticated submissions (a common practice to avoid issues with caching plugins like WP Rocket), this step can be bypassed. We will verify if `check_ajax_referer` is present in the handler.\n\n## 5. Exploitation Strategy\nThe goal is to inject a payload that fires in the admin dashboard.\n\n### Step 1: Form Discovery\nIdentify the `form_id` and the field names. If a form is created with ID `1`, the fields are usually named sequentially (e.g., `field_1`, `field_2`).\n\n### Step 2: Submission Payload\nWe will send a POST request to `admin-ajax.php`.\n\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** POST\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:**\n  ```text\n  action=lfb_contact_form_data&\n  form_id=1&\n  field_1=TestUser&\n  field_2=\u003Cscript>alert('XSS_SUCCESS_LFB')\u003C\u002Fscript>&\n  lfb_nonce=[EXTRACTED_NONCE]\n  ```\n  *(Note: The exact structure of `form_data` might be a serialized string. If so, the body would look like: `action=lfb_contact_form_data&form_data=name%3DTest%26email%3D...`)*\n\n### Step 3: Triggering XSS\nLogin as an administrator and navigate to:\n`http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=lfb-view-extension` (Exact slug may vary, check `add_menu_page` in source).\n\n## 6. Test Data Setup\n1. **Create Lead Form:**\n   ```bash\n   # Use WP-CLI to ensure at least one form exists (if the plugin uses a CPT for forms)\n   # Or use browser_navigate to the admin area to create a simple contact form.\n   ```\n2. **Publish Form:**\n   Create a page with the shortcode:\n   ```bash\n   wp post create --post_type=page --post_title=\"Contact\" --post_status=publish --post_content='[lead-form form_id=\"1\" title=\"Contact Us\"]'\n   ```\n3. **Identify URL:** The page will be at `http:\u002F\u002Flocalhost:8080\u002Fcontact`.\n\n## 7. Expected Results\n- The AJAX submission should return a success message (e.g., `{\"status\":\"success\"}` or `1`).\n- When an admin views the \"Submissions\" page, an alert box with `XSS_SUCCESS_LFB` should appear.\n- In a real-world scenario, the payload would be:\n  ```html\n  \u003Cscript>fetch('\u002Fwp-admin\u002Fuser-new.php').then(r=>r.text()).then(t=>\u002F* extract nonce and create admin *\u002F)\u003C\u002Fscript>\n  ```\n\n## 8. Verification Steps\n1. **Check Database for Payload:**\n   ```bash\n   wp db query \"SELECT * FROM wp_posts WHERE post_type='lfb_leads' AND post_content LIKE '%\u003Cscript>%';\"\n   # OR, if using a custom table:\n   wp db query \"SELECT * FROM wp_lfb_form_entries WHERE field_values LIKE '%\u003Cscript>%';\"\n   ```\n2. **Verify Admin Dashboard Access:**\n   Use `browser_navigate` as an admin to the leads list and check for the presence of the `\u003Cscript>` tag in the page source via `browser_eval`.\n\n## 9. Alternative Approaches\n- **Serialized Input:** If the plugin expects the data in a specific format (like a serialized PHP string or a JSON object in a single parameter), adjust the `http_request` body accordingly.\n- **File Upload XSS:** If the form allows file uploads, check if the \"File\" field label or filename is rendered unsanitized in the admin area.\n- **Form Title XSS:** Check if the `form_id` itself or the `title` parameter in the submission is reflected in any \"Recent Activity\" widget on the main Dashboard.\n\n## 10. Key Files for Analysis\n- `lead-form-builder.php`: Main entry point and hook registrations.\n- `inc\u002Flfb-ajax-functions.php`: AJAX handlers for form submission.\n- `admin\u002Finc\u002Flfb-admin-functions.php`: Functions for rendering leads in the admin area (the sink).\n- `inc\u002Flfb-shortcode.php`: Shortcode registration and front-end form rendering.","gemini-3-flash-preview","2026-04-17 23:30:03","2026-04-17 23:30:22",{"type":30,"vulnerable_version":31,"fixed_version":9,"vulnerable_browse":32,"vulnerable_zip":33,"fixed_browse":9,"fixed_zip":9,"all_tags":34},"plugin","2.0.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flead-form-builder\u002Ftags\u002F2.0.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flead-form-builder.2.0.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flead-form-builder\u002Ftags"]