CVE-2026-9278

Name of the Vulnerable Software and Affected Versions Form Builder CP WordPress plugin versions prior to 1.2.47

Description Insufficient sanitization of a form configuration value before storage and subsequent use in client-side script execution allows authenticated users with Editor-level access or higher to perform Stored Cross-Site Scripting (XSS). This occurs even when the unfiltered html capability is disabled, such as in multisite networks, affecting any visitor who views a page rendering the compromised form.

Recommendations Update the plugin to version 1.2.47 or later.