CVE-2026-1454

Name of the Vulnerable Software and Affected Versions Responsive Contact Form Builder & Lead Generation Plugin versions prior to 2.0.2

Description The Responsive Contact Form Builder & Lead Generation Plugin for WordPress is susceptible to Stored Cross-Site Scripting through form field submissions. This occurs because the lfb lead sanitize() function does not adequately sanitize input, specifically omitting certain field types from its sanitization whitelist. This, combined with a permissive wp kses() filter allowing onclick attributes on anchor tags, enables unauthenticated attackers to inject malicious web scripts. These scripts execute when an administrator views lead entries within the WordPress dashboard. The vulnerability allows for the injection of arbitrary web scripts via form field submissions.

Recommendations Versions prior to 2.0.2 should be updated to version 2.0.2 or later.