CVE-2022-50959 Wordpress CVE debrief

Who should care

Administrators and security teams responsible for WordPress sites that use the Contact Form Builder plugin, especially public-facing sites or sites where privileged users may open externally supplied links.

Technical summary

The supplied corpus identifies a reflected XSS condition in Contact Form Builder 1.6.1. The attack surface is the form_id parameter passed to code_generator.php. If application output is not properly escaped or sanitized, attacker-controlled input can be reflected into the response and executed as script in the browser of a user who visits a maliciously crafted URL. The CVE is rated CVSS 5.1 (MEDIUM) and uses CWE-79.

Defensive priority

Medium. Treat as higher priority if the plugin is installed on a production WordPress site or if administrators/editor accounts may click untrusted links.

Recommended defensive actions

• Verify whether WordPress Contact Form Builder is installed and whether version 1.6.1 or another affected release is in use.
• Update to a vendor-fixed version if one is available; if no fixed release is available, remove or disable the plugin until remediation is possible.
• Restrict access to the plugin’s admin-facing pages and minimize exposure of privileged users to untrusted external links.
• Review web application logging and browser-side incident reports for suspicious requests to code_generator.php with crafted form_id values.
• Apply general XSS hardening controls such as output encoding, input validation, and a strong Content Security Policy where practical.

Evidence notes

This debrief is based only on the supplied CVE corpus and the linked official records/references. The CVE description states the vulnerable component, version, parameter, and reflected XSS behavior. NVD metadata lists CWE-79 and references the WordPress plugin page, an Exploit-DB entry, and a VulnCheck advisory. No exploit steps or payload details are included here.

Official resources