Plateforme
wordpress
Composant
lead-form-builder
Corrigé dans
2.0.2
CVE-2026-32532 describes a Stored Cross-Site Scripting (XSS) vulnerability within the Contact Form & Lead Form Elementor Builder plugin for WordPress. This vulnerability allows attackers to inject malicious scripts that are stored on the server and executed when other users view the affected pages. Versions of the plugin prior to 2.0.2 are vulnerable, and a patch has been released to address the issue.
The impact of this XSS vulnerability is significant. An attacker could inject arbitrary JavaScript code into the plugin's data storage, which would then be executed in the browsers of any user visiting a page displaying the compromised form. This could lead to a variety of malicious actions, including stealing user cookies and session tokens, redirecting users to phishing sites, or defacing the website. The attacker could potentially gain complete control over the user's session, allowing them to perform actions on their behalf. Given the widespread use of Elementor and its add-ons, this vulnerability has a broad potential impact.
CVE-2026-32532 was publicly disclosed on 2026-03-25. Currently, there are no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog. The vulnerability's ease of exploitation and the popularity of the plugin suggest it could become a target for opportunistic attackers.
Websites utilizing the Contact Form & Lead Form Elementor Builder plugin, particularly those running older versions (prior to 2.0.2), are at risk. Shared hosting environments where plugin updates are managed by the hosting provider are also at increased risk, as users may not have direct control over plugin versions. Sites heavily reliant on contact forms for lead generation are particularly vulnerable.
• wordpress / composer / npm:
grep -r '<script>' /var/www/html/wp-content/plugins/lead-form-builder/*• generic web:
curl -I https://example.com/contact-form | grep -i content-type• wordpress / composer / npm:
wp plugin list --status=active | grep lead-form-builderdisclosure
Statut de l'Exploit
EPSS
0.04% (percentile 11%)
Vecteur CVSS
The primary mitigation for CVE-2026-32532 is to immediately upgrade the Contact Form & Lead Form Elementor Builder plugin to version 2.0.2 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious input in the form fields. Specifically, look for patterns associated with JavaScript injection attempts. Thoroughly sanitize all user-supplied input within the plugin to prevent further exploitation. After upgrading, confirm the vulnerability is resolved by submitting a test form with a simple XSS payload (e.g., <script>alert(1)</script>) and verifying that the script is not executed.
Mettre à jour vers la version 2.0.2, ou une version corrigée plus récente
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-32532 is a Stored XSS vulnerability in the Contact Form & Lead Form Elementor Builder plugin for WordPress, allowing attackers to inject malicious scripts stored on the server.
You are affected if you are using Contact Form & Lead Form Elementor Builder versions prior to 2.0.2. Check your plugin version and update immediately.
Upgrade the plugin to version 2.0.2 or later. Consider a WAF rule to filter malicious input as an interim measure.
Currently, there are no confirmed reports of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the ThemeHunk website and WordPress plugin repository for the latest advisory and update information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.