CVE-2026-13378
Published: July 11, 2026•Last Modified: July 11, 2026
CVSS SCORE
7.2
HIGH
Vulnerability Description
The Form Vibes – Database Manager for Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Contact Form 7 Form Field in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected Products & Versions
No configurations parsed from local entry.
Security Advisories & References
- https://plugins.trac.wordpress.org/browser/form-vibes/tags/1.5.2/assets/dist/js/submission.js#L1
- https://plugins.trac.wordpress.org/browser/form-vibes/tags/1.5.2/inc/integrations/base.php#L141
- https://plugins.trac.wordpress.org/browser/form-vibes/tags/1.5.2/inc/integrations/cf7.php#L126
- https://plugins.trac.wordpress.org/changeset?reponame=&old=3599917%40form-vibes&new=3597349%40form-vibes
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c6716a5d-48ed-4735-b765-a7606ea401d0?source=cve
Mitigation & Remediation
Update the affected packages to a secure version. Refer to vendor security advisories.
Share Advisory
Copy the standardized markdown formatted vulnerability report to post in Slack, Teams, email, or ticketing systems.
# HIGH - CVE-2026-13378
## EFFECT
The Form Vibes – Database Manager for Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Contact Form 7 Form Field in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
## AFFECTED
Unknown products
## LINKS
- [plugins.trac.wordpress.org](https://plugins.trac.wordpress.org/browser/form-vibes/tags/1.5.2/assets/dist/js/submission.js#L1)
- [plugins.trac.wordpress.org](https://plugins.trac.wordpress.org/browser/form-vibes/tags/1.5.2/inc/integrations/base.php#L141)
- [plugins.trac.wordpress.org](https://plugins.trac.wordpress.org/browser/form-vibes/tags/1.5.2/inc/integrations/cf7.php#L126)
- [plugins.trac.wordpress.org](https://plugins.trac.wordpress.org/changeset?reponame=&old=3599917%40form-vibes&new=3597349%40form-vibes)
- [www.wordfence.com](https://www.wordfence.com/threat-intel/vulnerabilities/id/c6716a5d-48ed-4735-b765-a7606ea401d0?source=cve)
## SOLUTION
- Update the affected packages to a secure version. Refer to vendor security advisories.