PatchSiren cyber security CVE debrief
CVE-2026-9278 Form Builder CP CVE debrief
CVE-2026-9278 is a Stored Cross-Site Scripting (XSS) vulnerability in the Form Builder CP WordPress plugin before version 1.2.47. The plugin does not properly sanitize a form configuration value before storing it and using it as part of a client-side script execution. This allows authenticated users with Editor-level access and above to perform Stored Cross-Site Scripting attacks against any visitor of a page rendering the affected form, even when the `unfiltered_html` capability is disallowed.
- Vendor
- Form Builder CP
- Product
- Form Builder CP
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Users of the Form Builder CP WordPress plugin, particularly those with Editor-level access and above, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability exists in the Form Builder CP WordPress plugin before version 1.2.47. Authenticated users with Editor-level access and above can exploit this vulnerability to perform Stored Cross-Site Scripting attacks.
Defensive priority
High
Recommended defensive actions
- Update the Form Builder CP WordPress plugin to version 1.2.47 or later.
- Restrict Editor-level access and above to trusted users only.
- Monitor for suspicious activity on pages rendering the affected form.
Evidence notes
The CVE record and NVD detail can be found at [cve-org] and [nvd], respectively. Additional information can be found at [ref-4].
Official resources
-
CVE-2026-9278 CVE record
CVE.org
-
CVE-2026-9278 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-9278 was published on 2026-06-15T08:16:22.200Z and has not been modified since then.