CVE-2022-50959
Reflected XSS in WordPress Contact Form Builder
Publication date: 2026-05-10
Last updated on: 2026-05-10
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpdevart | contact_form_builder | to 1.6.1 (exc) |
| wpdevart | contact_form_builder | From 3.4.0 (inc) to 6.2.9 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
WordPress Contact Form Builder version 1.6.1 contains a reflected Cross-Site Scripting (XSS) vulnerability. This flaw allows unauthenticated attackers to inject malicious scripts by manipulating the form_id parameter in the code_generator.php file.
Attackers can craft malicious URLs with script payloads in the form_id parameter, which when visited by victims, execute arbitrary JavaScript in their browsers.
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute arbitrary JavaScript code in the browsers of users who visit a maliciously crafted URL. This can lead to theft of sensitive information, session hijacking, or other malicious actions performed on behalf of the victim.
Since the attack requires no authentication, any visitor to a compromised or malicious link can be affected, increasing the risk of widespread impact.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for HTTP requests to the code_generator.php file that include suspicious or script payloads in the form_id parameter.
A simple detection method is to search web server logs for requests containing the form_id parameter with potential script tags or JavaScript code.
- Use grep or similar tools to find suspicious requests in logs, for example: grep -i 'code_generator.php' /var/log/apache2/access.log | grep 'form_id='
- Look for script tags or encoded payloads in the form_id parameter, e.g., grep -E 'form_id=.*<script|form_id=.*%3Cscript' /var/log/apache2/access.log
Additionally, network intrusion detection systems (NIDS) can be configured to alert on HTTP requests with suspicious parameters targeting code_generator.php.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or removing the vulnerable WordPress Contact Form Builder plugin version 1.6.1 or earlier from your site.
If removal is not immediately possible, restrict access to the code_generator.php file or implement web application firewall (WAF) rules to block requests containing suspicious form_id parameters.
Monitor and block any suspicious traffic targeting the form_id parameter to prevent exploitation.
Consider updating to a patched version if available or replacing the plugin with a secure alternative.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the reflected cross-site scripting (XSS) vulnerability in WordPress Contact Form Builder 1.6.1 impacts compliance with common standards and regulations such as GDPR or HIPAA.