Skip to content
Threat Feed
high advisory

CVE-2026-13378 - Form Vibes WordPress Plugin Vulnerable to Stored Cross-Site Scripting

The Form Vibes - Database Manager for Forms plugin for WordPress, including all versions up to and including 1.5.2, is vulnerable to Stored Cross-Site Scripting (XSS) due to insufficient input sanitization and output escaping, allowing unauthenticated attackers to inject arbitrary web scripts into pages that execute when a user accesses an injected page.

CVE-2026-13378 details a Stored Cross-Site Scripting (XSS) vulnerability affecting the "Form Vibes - Database Manager for Forms" plugin for WordPress. All versions up to, and including, 1.5.2 are susceptible. This flaw stems from inadequate input sanitization and output escaping when handling data submitted via Contact Form 7 form fields. An unauthenticated attacker can exploit this by injecting malicious web scripts into these forms. The plugin then stores this unsanitized script within the database. When a legitimate user, such as an administrator or another site visitor, accesses a page where this stored form data is rendered, the malicious script executes in their browser, potentially leading to session hijacking, unauthorized actions, or defacement. This vulnerability affects WordPress sites utilizing the specified plugin and can compromise user accounts, impacting data integrity and user trust.

Attack Chain

  1. An unauthenticated attacker identifies a WordPress site running the vulnerable "Form Vibes - Database Manager for Forms" plugin (versions <= 1.5.2) with Contact Form 7 enabled.
  2. The attacker crafts a malicious input containing JavaScript payload (e.g., <script>alert(document.cookie)</script>) designed for Stored XSS.
  3. The attacker submits this malicious input through a Contact Form 7 form on the target WordPress site.
  4. The "Form Vibes" plugin processes the submitted data but fails to adequately sanitize or escape the malicious script due to the vulnerability CVE-2026-13378.
  5. The unsanitized malicious JavaScript payload is stored persistently in the website's database by the plugin, associated with the form entry.
  6. A legitimate user, such as an administrator, accesses a page (e.g., the plugin's submission viewer or a public page displaying form entries) where the stored, malicious form data is rendered.
  7. The user's web browser loads the page and executes the attacker's injected JavaScript within the context of the user's session.
  8. The executed script performs its malicious function, such as stealing session cookies, redirecting the user, or performing unauthorized actions on behalf of the user.

Impact

Successful exploitation of CVE-2026-13378 can lead to significant compromise of the affected WordPress site and its users. An attacker can gain unauthorized control over user sessions, including those of administrators, allowing them to perform arbitrary actions, modify website content, deface pages, or inject further malicious content. The attacker can also steal sensitive data accessible to the compromised user, such as session cookies, credentials, or personal information. The impact extends to user trust and site reputation, as visitors might be redirected to phishing sites or exposed to drive-by download attacks. While specific victim counts are not available, any website using the vulnerable plugin is at risk, with potential compromise for any user who views the injected content.

Recommendation

  • Patch CVE-2026-13378 immediately by updating the "Form Vibes - Database Manager for Forms" plugin to a version greater than 1.5.2.
  • Deploy the Sigma rule for webserver logs in this brief to detect potential XSS injection attempts via Contact Form 7.
  • Enable comprehensive logging for your web server (e.g., Apache, Nginx) to capture HTTP requests, including full URI-stem, query, and request body when possible, to facilitate detection of malicious payloads.
  • Implement a Web Application Firewall (WAF) in front of your WordPress instances to filter and block common XSS payloads, supplementing the detection rule.

Detection coverage 1

Detects CVE-2026-13378 Exploitation - Form Vibes XSS Injection Attempt

high

Detects attempts to inject Stored Cross-Site Scripting payloads via Contact Form 7 submissions, targeting the Form Vibes plugin vulnerability CVE-2026-13378. This rule looks for common XSS indicators in web server logs for POST requests.

sigma tactics: execution, initial_access techniques: T1059.007, T1190 sources: webserver

Detection queries are available on the platform. Get full rules →

Indicators of compromise

5

url

TypeValue
urlhttps://plugins.trac.wordpress.org/browser/form-vibes/tags/1.5.2/assets/dist/js/submission.js#L1
urlhttps://plugins.trac.wordpress.org/browser/form-vibes/tags/1.5.2/inc/integrations/base.php#L141
urlhttps://plugins.trac.wordpress.org/browser/form-vibes/tags/1.5.2/inc/integrations/cf7.php#L126
urlhttps://plugins.trac.wordpress.org/changeset?reponame=&old=3599917%40form-vibes&new=3597349%40form-vibes
urlhttps://www.wordfence.com/threat-intel/vulnerabilities/id/c6716a5d-48ed-4735-b765-a7606ea401d0?source=cve