CVE-2026-13378 in Form Vibes Plugin
Summary
by MITRE • 07/11/2026
The Form Vibes – Database Manager for Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Contact Form 7 Form Field in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/11/2026
The Form Vibes – Database Manager for Forms plugin for WordPress represents a significant security vulnerability through its susceptibility to stored cross-site scripting attacks within Contact Form 7 form fields. This weakness affects all versions up to and including 1.5.2, creating a persistent threat vector that enables unauthenticated attackers to inject malicious web scripts into the plugin's database storage mechanisms. The vulnerability stems from inadequate input sanitization processes and insufficient output escaping measures that fail to properly validate and sanitize user-supplied data before it is stored and subsequently rendered on web pages. When users access pages containing the injected content, the malicious scripts execute in their browsers, potentially compromising user sessions and enabling further attack vectors.
The technical flaw manifests through the plugin's failure to implement proper data validation and sanitization protocols for form field inputs. Specifically, when Contact Form 7 forms are processed through the Form Vibes plugin, user-entered data bypasses adequate filtering mechanisms that should strip or encode potentially dangerous script content. This allows attackers to submit malicious payloads such as javascript code, html tags, or other script-based attacks that get stored in the database and executed whenever legitimate users view the affected pages. The vulnerability operates under CWE-79 which classifies improper neutralization of input during web page generation, making it particularly dangerous as the attack payload persists in the system rather than being temporary.
The operational impact of this vulnerability extends beyond simple script execution to potentially compromise entire user sessions and enable more sophisticated attacks such as session hijacking, credential theft, or redirection to malicious sites. Attackers can craft payloads that exploit the stored XSS to steal cookies, modify page content, or redirect users to phishing sites without requiring any authentication or privileged access to the WordPress installation. The persistent nature of stored XSS means that once an attacker successfully injects malicious code, it remains active until manually removed from the database, creating a long-term threat vector for all users who access affected pages.
Mitigation strategies should focus on immediate remediation through plugin updates to versions that address the input sanitization and output escaping deficiencies. System administrators must implement proper content security policies and ensure that all user inputs are properly validated and escaped before storage or rendering. Additionally, implementing web application firewalls with XSS detection capabilities can provide additional layers of protection. The vulnerability aligns with ATT&CK technique T1566 which covers credential access through phishing and malicious payloads, highlighting the potential for this XSS to serve as a gateway for broader compromise. Regular security audits and input validation testing should be implemented to prevent similar vulnerabilities in other plugins or custom code implementations.