{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/form-vibes--database-manager-for-forms--1.5.2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-13378"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Form Vibes – Database Manager for Forms (\u003c= 1.5.2)"],"_cs_severities":["high"],"_cs_tags":["wordpress","plugin","vulnerability","xss","web"],"_cs_type":"advisory","_cs_vendors":["wpvibes"],"content_html":"\u003cp\u003eCVE-2026-13378 details a Stored Cross-Site Scripting (XSS) vulnerability affecting the \u0026quot;Form Vibes - Database Manager for Forms\u0026quot; plugin for WordPress. All versions up to, and including, 1.5.2 are susceptible. This flaw stems from inadequate input sanitization and output escaping when handling data submitted via Contact Form 7 form fields. An unauthenticated attacker can exploit this by injecting malicious web scripts into these forms. The plugin then stores this unsanitized script within the database. When a legitimate user, such as an administrator or another site visitor, accesses a page where this stored form data is rendered, the malicious script executes in their browser, potentially leading to session hijacking, unauthorized actions, or defacement. This vulnerability affects WordPress sites utilizing the specified plugin and can compromise user accounts, impacting data integrity and user trust.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site running the vulnerable \u0026quot;Form Vibes - Database Manager for Forms\u0026quot; plugin (versions \u0026lt;= 1.5.2) with Contact Form 7 enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious input containing JavaScript payload (e.g., \u003ccode\u003e\u0026lt;script\u0026gt;alert(document.cookie)\u0026lt;/script\u0026gt;\u003c/code\u003e) designed for Stored XSS.\u003c/li\u003e\n\u003cli\u003eThe attacker submits this malicious input through a Contact Form 7 form on the target WordPress site.\u003c/li\u003e\n\u003cli\u003eThe \u0026quot;Form Vibes\u0026quot; plugin processes the submitted data but fails to adequately sanitize or escape the malicious script due to the vulnerability CVE-2026-13378.\u003c/li\u003e\n\u003cli\u003eThe unsanitized malicious JavaScript payload is stored persistently in the website's database by the plugin, associated with the form entry.\u003c/li\u003e\n\u003cli\u003eA legitimate user, such as an administrator, accesses a page (e.g., the plugin's submission viewer or a public page displaying form entries) where the stored, malicious form data is rendered.\u003c/li\u003e\n\u003cli\u003eThe user's web browser loads the page and executes the attacker's injected JavaScript within the context of the user's session.\u003c/li\u003e\n\u003cli\u003eThe executed script performs its malicious function, such as stealing session cookies, redirecting the user, or performing unauthorized actions on behalf of the user.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-13378 can lead to significant compromise of the affected WordPress site and its users. An attacker can gain unauthorized control over user sessions, including those of administrators, allowing them to perform arbitrary actions, modify website content, deface pages, or inject further malicious content. The attacker can also steal sensitive data accessible to the compromised user, such as session cookies, credentials, or personal information. The impact extends to user trust and site reputation, as visitors might be redirected to phishing sites or exposed to drive-by download attacks. While specific victim counts are not available, any website using the vulnerable plugin is at risk, with potential compromise for any user who views the injected content.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-13378 immediately by updating the \u0026quot;Form Vibes - Database Manager for Forms\u0026quot; plugin to a version greater than 1.5.2.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule for \u003ccode\u003ewebserver\u003c/code\u003e logs in this brief to detect potential XSS injection attempts via Contact Form 7.\u003c/li\u003e\n\u003cli\u003eEnable comprehensive logging for your web server (e.g., Apache, Nginx) to capture HTTP requests, including full URI-stem, query, and request body when possible, to facilitate detection of malicious payloads.\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) in front of your WordPress instances to filter and block common XSS payloads, supplementing the detection rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-11T06:18:24Z","date_published":"2026-07-11T06:18:24Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-13378-form-vibes-xss/","summary":"The Form Vibes - Database Manager for Forms plugin for WordPress, including all versions up to and including 1.5.2, is vulnerable to Stored Cross-Site Scripting (XSS) due to insufficient input sanitization and output escaping, allowing unauthenticated attackers to inject arbitrary web scripts into pages that execute when a user accesses an injected page.","title":"CVE-2026-13378 - Form Vibes WordPress Plugin Vulnerable to Stored Cross-Site Scripting","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-13378-form-vibes-xss/"}],"language":"en","title":"CraftedSignal Threat Feed - Form Vibes – Database Manager for Forms (\u003c= 1.5.2)","version":"https://jsonfeed.org/version/1.1"}