Back to Dashboard

CVE-2026-13378

Published: July 11, 2026Last Modified: July 11, 2026
CVSS SCORE
7.2
HIGH

Vulnerability Description

The Form Vibes – Database Manager for Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Contact Form 7 Form Field in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affected Products & Versions

No configurations parsed from local entry.

Mitigation & Remediation

Update the affected packages to a secure version. Refer to vendor security advisories.

Share Advisory

Copy the standardized markdown formatted vulnerability report to post in Slack, Teams, email, or ticketing systems.

# HIGH - CVE-2026-13378 ## EFFECT The Form Vibes – Database Manager for Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Contact Form 7 Form Field in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. ## AFFECTED Unknown products ## LINKS - [plugins.trac.wordpress.org](https://plugins.trac.wordpress.org/browser/form-vibes/tags/1.5.2/assets/dist/js/submission.js#L1) - [plugins.trac.wordpress.org](https://plugins.trac.wordpress.org/browser/form-vibes/tags/1.5.2/inc/integrations/base.php#L141) - [plugins.trac.wordpress.org](https://plugins.trac.wordpress.org/browser/form-vibes/tags/1.5.2/inc/integrations/cf7.php#L126) - [plugins.trac.wordpress.org](https://plugins.trac.wordpress.org/changeset?reponame=&old=3599917%40form-vibes&new=3597349%40form-vibes) - [www.wordfence.com](https://www.wordfence.com/threat-intel/vulnerabilities/id/c6716a5d-48ed-4735-b765-a7606ea401d0?source=cve) ## SOLUTION - Update the affected packages to a secure version. Refer to vendor security advisories.