Attack Vectors

High severity Stored Cross-Site Scripting (XSS) has been identified in the Lead Form Builder & Contact Form WordPress plugin (Responsive Contact Form Builder & Lead Generation Plugin) up to version 2.0.1 (CVE-2026-1454, CVSS 7.2).

The primary entry point is public form field submissions. Because the vulnerability is unauthenticated, an attacker does not need a login to submit a crafted payload through a site’s lead/contact form. Once stored, the malicious script can run later when the stored entry is viewed in a WordPress admin context or other page where the entry is rendered.

Security Weakness

The issue is caused by insufficient input sanitization in the plugin’s lfb_lead_sanitize() function, which omits certain field types from its sanitization whitelist. This allows attacker-supplied content to be stored without being properly cleaned.

Compounding the risk, output filtering uses an overly permissive configuration of wp_kses() that allows onclick attributes on anchor tags. This combination makes it easier for injected scripts to execute when the stored content is displayed.

Affected product: Lead Form Builder & Contact Form (slug: lead-form-builder) versions <= 2.0.1. Recommended remediation is to update to 2.0.2 or newer (patched version). Source: Wordfence advisory. CVE record: CVE-2026-1454.

Technical or Business Impacts

Administrative session risk: Stored XSS often aims to run code in a privileged user’s browser. If an administrator or marketing user views the affected lead entry, the injected script may be able to perform actions in their session context (for example, changing site settings or creating new admin users), depending on what the attacker attempts and what the browser/session allows.

Lead pipeline disruption and brand risk: Marketing teams rely on contact forms for revenue attribution, campaign measurement, and inbound sales. A compromise that alters form content, injects unwanted links, or causes visitors/admin users to see suspicious behavior can reduce conversion rates, harm brand trust, and lead to blacklisting or reputation damage if the site is leveraged for malicious redirects.

Compliance exposure: Contact forms frequently collect personal data (names, emails, phone numbers). If an attacker uses XSS to access or exfiltrate data shown in admin views, organizations may face incident-response obligations, potential regulatory notifications, and legal risk depending on jurisdiction and data classification.

Operational cost: Even without confirmed data loss, remediating a High severity web vulnerability can involve emergency patching, forensic review, credential resets, and communication overhead across Marketing, IT, Compliance, and leadership.

Similar Attacks

Stored XSS in widely used WordPress plugins is a recurring pattern, often triggered through public-facing forms or content fields and then executed when an administrator views the stored data. Examples:

CVE-2024-27956 (WP Automatic plugin) — a high-profile WordPress plugin security issue that drew broad attention and demonstrated how plugin flaws can lead to serious site compromise.
CVE-2021-24307 (Contact Form 7 Database Addon – CFDB7) — a WordPress plugin issue illustrating how stored data and admin views can become a pathway to exploitation when input/output handling is weak.