CVE-2026-9278 – Form Builder CP < 1.2.47 – Editor+ Stored XSS via form_structure

CVE ID :CVE-2026-9278

Published : June 15, 2026, 8:16 a.m. | 2 hours, 41 minutes ago

Description :The Form Builder CP WordPress plugin before 1.2.47 does not properly sanitize a form configuration value before storing it and using it as part of a client-side script execution, allowing authenticated users with Editor-level access and above to perform Stored Cross-Site Scripting attacks against any visitor of a page rendering the affected form, even when the `unfiltered_html` capability is disallowed (e.g. in a multisite network).

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…