CVE-2022-50959 Overview
CVE-2022-50959 is a reflected cross-site scripting (XSS) vulnerability in the WordPress Contact Form Builder plugin version 1.6.1. The flaw exists in code_generator.php, which fails to sanitize the form_id parameter before reflecting it into the HTTP response. Unauthenticated attackers can craft malicious URLs containing JavaScript payloads in the form_id parameter. When a victim clicks the link, the injected script executes in the victim's browser session under the context of the WordPress site. The vulnerability is tracked under CWE-79 (Improper Neutralization of Input During Web Page Generation).
Critical Impact
Attackers can steal session cookies, perform actions on behalf of authenticated users, or redirect victims to malicious sites by tricking them into visiting crafted URLs.
Affected Products
- WordPress Contact Form Builder plugin version 1.6.1
- code_generator.php endpoint within the plugin
- WordPress sites with the vulnerable plugin installed and accessible
Discovery Timeline
- 2026-05-10 - CVE-2022-50959 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2022-50959
Vulnerability Analysis
The vulnerability stems from missing output encoding on the form_id GET parameter processed by code_generator.php. The plugin echoes the parameter value directly into the HTML response without applying WordPress sanitization functions such as esc_html() or esc_attr(). This permits arbitrary HTML and JavaScript injection into the rendered page.
Because the attack requires user interaction, a victim must visit a URL crafted by the attacker. The injected JavaScript runs with the privileges of the visiting user and within the origin of the WordPress site. Session cookies, CSRF tokens, and DOM contents accessible to the page become reachable by the attacker payload.
Root Cause
The root cause is improper input neutralization in code_generator.php. User-controlled input from the form_id query string parameter reaches the response body without sanitization or contextual encoding. WordPress provides built-in escaping APIs, but the plugin author did not apply them at the output sink.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker constructs a URL pointing to the vulnerable code_generator.php endpoint with a script payload in the form_id parameter. The attacker then distributes the URL through phishing email, social media, or a malicious site. When the victim loads the URL, the reflected payload executes in their browser. Refer to the VulnCheck Advisory on WordPress XSS and Exploit-DB #50734 for the public proof-of-concept details.
Detection Methods for CVE-2022-50959
Indicators of Compromise
- HTTP GET requests to /wp-content/plugins/contact-forms-builder/code_generator.php containing form_id values with <script>, onerror=, javascript:, or URL-encoded angle brackets (%3C, %3E).
- Web server access logs showing unusually long or URL-encoded form_id parameter values from external referrers.
- Browser console errors or unexpected outbound requests originating from pages served by the vulnerable plugin.
Detection Strategies
- Inspect web access logs for query strings targeting code_generator.php and flag entries where form_id contains HTML control characters.
- Deploy a web application firewall (WAF) rule that blocks reflected XSS signatures on requests to plugin paths under /wp-content/plugins/contact-forms-builder/.
- Run an authenticated vulnerability scan against the WordPress installation to identify plugin version 1.6.1.
Monitoring Recommendations
- Forward Apache, Nginx, or load balancer logs to a centralized analytics platform and alert on XSS payload patterns targeting WordPress plugin endpoints.
- Monitor for spikes in 200 OK responses to code_generator.php from anonymous sources, which can indicate exploitation attempts at scale.
- Track outbound DNS or HTTP traffic from user workstations to attacker-controlled domains correlated with WordPress site visits.
How to Mitigate CVE-2022-50959
Immediate Actions Required
- Identify all WordPress installations running the Contact Form Builder plugin version 1.6.1 and disable the plugin until a patched version is confirmed.
- Remove or restrict access to code_generator.php via web server configuration if the plugin cannot be uninstalled immediately.
- Audit recent web logs for exploitation attempts and rotate administrator session cookies if suspicious activity is found.
Patch Information
No vendor patch is referenced in the available CVE data. Administrators should consult the WordPress Plugin Information page for current plugin status and replace the plugin with a maintained contact form alternative if no fixed release is available.
Workarounds
- Deploy a WAF rule to drop requests where the form_id parameter contains HTML tags, event handlers, or script keywords.
- Restrict access to /wp-content/plugins/contact-forms-builder/code_generator.php to authenticated administrators using .htaccess or Nginx location rules.
- Add a Content Security Policy (CSP) header that disallows inline scripts to limit the impact of reflected XSS payloads.
# Nginx configuration example: block requests with script payloads in form_id
location ~* /wp-content/plugins/contact-forms-builder/code_generator\.php {
if ($args ~* "form_id=.*(<|%3C|script|onerror|javascript:)") {
return 403;
}
}
# Recommended Content Security Policy header
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'";
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
