CVE-2026-13378
Last modified
CVE-2026-13378 is a high-severity vulnerability rated 7.2/10 on the CVSS scale. The Form Vibes – Database Manager for Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Contact Form 7 Form Field in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.. EPSS estimates a 0.26% chance of exploitation in the next 30 days.
Description
The Form Vibes – Database Manager for Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Contact Form 7 Form Field in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
Source: CNA advisory (CVE.org). NVD analysis pending.
| Vendor | Product | Versions |
|---|---|---|
| wpvibes | Form Vibes – Save Contact Form 7 & Elementor Form Entries to Database | <= 1.5.2 |
References
Timeline
- Published
- Last Modified
- Status
- Deferred
Frequently Asked Questions
What is CVE-2026-13378?
How severe is CVE-2026-13378?
How do I fix CVE-2026-13378?
Related CVEs from 2026
- CVE-2026-13372Incorrect link resolution by display name in the custom Powe…7.2
- CVE-2026-13373Improper Neutralization of Input During Web Page Generation …4.8
- CVE-2026-13374Improper Neutralization of Input During Web Page Generation …4.8
- CVE-2026-13375Improper Neutralization of Input During Web Page Generation …4.8
- CVE-2026-13376Improper Neutralization of Input During Web Page Generation …4.8
- CVE-2026-13377Improper Neutralization of Input During Web Page Generation …4.8
- CVE-2026-1338GitLab has remediated an issue in GitLab CE/EE affecting all…4.3
- CVE-2026-13383An Out-of-bounds Write vulnerability in WatchGuard Fireware …7.2
- CVE-2026-13384An Out-of-bounds Write vulnerability in WatchGuard Fireware …7.2
- CVE-2026-13385An Improper Validation of Integrity Check Value and Improper…9.5
- CVE-2026-1340A code injection in Ivanti Endpoint Manager Mobile allowing …9.8
- CVE-2026-1341Avation Light Engine Pro exposes its configuration and contr…9.3
Are you affected by CVE-2026-13378?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST
