Platform
wordpress
Component
lead-form-builder
Fixed in
2.0.2
CVE-2026-32532 describes a Stored Cross-Site Scripting (XSS) vulnerability within the Contact Form & Lead Form Elementor Builder plugin for WordPress. This vulnerability allows attackers to inject malicious scripts that are stored on the server and executed when other users view the affected pages. Versions of the plugin prior to 2.0.2 are vulnerable, and a patch has been released to address the issue.
The impact of this XSS vulnerability is significant. An attacker could inject arbitrary JavaScript code into the plugin's data storage, which would then be executed in the browsers of any user visiting a page displaying the compromised form. This could lead to a variety of malicious actions, including stealing user cookies and session tokens, redirecting users to phishing sites, or defacing the website. The attacker could potentially gain complete control over the user's session, allowing them to perform actions on their behalf. Given the widespread use of Elementor and its add-ons, this vulnerability has a broad potential impact.
CVE-2026-32532 was publicly disclosed on 2026-03-25. Currently, there are no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog. The vulnerability's ease of exploitation and the popularity of the plugin suggest it could become a target for opportunistic attackers.
Exploit Status
EPSS
0.04% (11% percentile)
CVSS Vector
The primary mitigation for CVE-2026-32532 is to immediately upgrade the Contact Form & Lead Form Elementor Builder plugin to version 2.0.2 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious input in the form fields. Specifically, look for patterns associated with JavaScript injection attempts. Thoroughly sanitize all user-supplied input within the plugin to prevent further exploitation. After upgrading, confirm the vulnerability is resolved by submitting a test form with a simple XSS payload (e.g., <script>alert(1)</script>) and verifying that the script is not executed.
Update to version 2.0.2, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32532 is a Stored XSS vulnerability in the Contact Form & Lead Form Elementor Builder plugin for WordPress, allowing attackers to inject malicious scripts stored on the server.
You are affected if you are using Contact Form & Lead Form Elementor Builder versions prior to 2.0.2. Check your plugin version and update immediately.
Upgrade the plugin to version 2.0.2 or later. Consider a WAF rule to filter malicious input as an interim measure.
Currently, there are no confirmed reports of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the ThemeHunk website and WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.