CVE-2022-50959
Received Received - Intake
Reflected XSS in WordPress Contact Form Builder

Publication date: 2026-05-10

Last updated on: 2026-05-10

Assigner: VulnCheck

Description
WordPress Contact Form Builder 1.6.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting the form_id parameter. Attackers can craft malicious URLs to code_generator.php with script payloads in the form_id parameter to execute arbitrary JavaScript in victim browsers.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-10
Last Modified
2026-05-10
Generated
2026-06-21
AI Q&A
2026-05-10
EPSS Evaluated
2026-06-20
NVD
CVE-2022-50959
EUVD
EUVD-2022-55980
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wpdevart contact_form_builder to 1.6.1 (exc)
wpdevart contact_form_builder From 3.4.0 (inc) to 6.2.9 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

WordPress Contact Form Builder version 1.6.1 contains a reflected Cross-Site Scripting (XSS) vulnerability. This flaw allows unauthenticated attackers to inject malicious scripts by manipulating the form_id parameter in the code_generator.php file.

Attackers can craft malicious URLs with script payloads in the form_id parameter, which when visited by victims, execute arbitrary JavaScript in their browsers.

Impact Analysis

This vulnerability can allow attackers to execute arbitrary JavaScript code in the browsers of users who visit a maliciously crafted URL. This can lead to theft of sensitive information, session hijacking, or other malicious actions performed on behalf of the victim.

Since the attack requires no authentication, any visitor to a compromised or malicious link can be affected, increasing the risk of widespread impact.

Detection Guidance

This vulnerability can be detected by monitoring for HTTP requests to the code_generator.php file that include suspicious or script payloads in the form_id parameter.

A simple detection method is to search web server logs for requests containing the form_id parameter with potential script tags or JavaScript code.

  • Use grep or similar tools to find suspicious requests in logs, for example: grep -i 'code_generator.php' /var/log/apache2/access.log | grep 'form_id='
  • Look for script tags or encoded payloads in the form_id parameter, e.g., grep -E 'form_id=.*<script|form_id=.*%3Cscript' /var/log/apache2/access.log

Additionally, network intrusion detection systems (NIDS) can be configured to alert on HTTP requests with suspicious parameters targeting code_generator.php.

Mitigation Strategies

Immediate mitigation steps include disabling or removing the vulnerable WordPress Contact Form Builder plugin version 1.6.1 or earlier from your site.

If removal is not immediately possible, restrict access to the code_generator.php file or implement web application firewall (WAF) rules to block requests containing suspicious form_id parameters.

Monitor and block any suspicious traffic targeting the form_id parameter to prevent exploitation.

Consider updating to a patched version if available or replacing the plugin with a secure alternative.

Compliance Impact

The provided information does not specify how the reflected cross-site scripting (XSS) vulnerability in WordPress Contact Form Builder 1.6.1 impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2022-50959. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart