The Form Builder CP WordPress plugin before 1.2.47 does not properly sanitize a form configuration value before storing it and using it as part of a client-side script execution, allowing authenticated users with Editor-level access and above to perform Stored Cross-Site Scripting attacks against any visitor of a page rendering the affected form, even when the `unfiltered_html` capability is disallowed (e.g. in a multisite network).

Metrics

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

No data.

No data.

No data.

References
Link Providers
https://wpscan.com/vulnerability/b306b6f1-ca34-495f-a823-6e8f66e343d7/ cve-icon cve-icon
History

Mon, 15 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Mon, 15 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Description The Form Builder CP WordPress plugin before 1.2.47 does not properly sanitize a form configuration value before storing it and using it as part of a client-side script execution, allowing authenticated users with Editor-level access and above to perform Stored Cross-Site Scripting attacks against any visitor of a page rendering the affected form, even when the `unfiltered_html` capability is disallowed (e.g. in a multisite network).
Title Form Builder CP < 1.2.47 - Editor+ Stored XSS via form_structure
References
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2026-06-15T06:00:02.522Z

Updated: 2026-06-15T06:00:02.522Z

Reserved: 2026-05-22T12:25:11.923Z

Link: CVE-2026-9278

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-15T08:16:22.200

Modified: 2026-06-15T08:16:22.200

Link: CVE-2026-9278

cve-icon Redhat

No data.