CVE-2026-1454
📋 TL;DR
This vulnerability allows unauthenticated attackers to inject malicious scripts into WordPress lead form submissions. When administrators view these submissions in the dashboard, the scripts execute, potentially compromising admin accounts. All WordPress sites using the Responsive Contact Form Builder & Lead Generation Plugin up to version 2.0.1 are affected.
💻 Affected Systems
- Responsive Contact Form Builder & Lead Generation Plugin for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative access to WordPress sites, install backdoors, steal sensitive data, or deface websites.
Likely Case
Attackers hijack administrator sessions to modify site content, install malicious plugins, or redirect visitors to phishing sites.
If Mitigated
With proper input validation and output escaping, malicious scripts are neutralized before execution.
🎯 Exploit Status
Exploitation requires submitting specially crafted form data; no authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.2 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3462549/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Responsive Contact Form Builder & Lead Generation Plugin'. 4. Click 'Update Now' if available. 5. If no update appears, manually download version 2.0.2+ from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily deactivate the vulnerable plugin until patched.
wp plugin deactivate lead-form-builder
Restrict Form Access
allUse web application firewall to block suspicious form submissions.
🧯 If You Can't Patch
- Remove or disable the plugin entirely.
- Implement strict Content Security Policy (CSP) headers to block inline script execution.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Responsive Contact Form Builder & Lead Generation Plugin' version ≤2.0.1.Check Version:
wp plugin get lead-form-builder --field=versionVerify Fix Applied:
Confirm plugin version is 2.0.2 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual form submissions with script tags or onclick attributes in POST data
- Admin dashboard access logs showing script execution attempts
Network Indicators:
- HTTP POST requests to /wp-admin/admin-ajax.php with malicious payloads in form fields
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND ("onclick" OR "javascript:" OR "<script>")🔗 References
- https://plugins.trac.wordpress.org/browser/lead-form-builder/tags/2.0.1/inc/ajax-functions.php#L587
- https://plugins.trac.wordpress.org/browser/lead-form-builder/tags/2.0.1/inc/show-lead.php#L13
- https://plugins.trac.wordpress.org/changeset/3462549/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/f5863132-90a7-414f-abcb-e8b6a9d229c5?source=cve
