CVE-2026-32532
WordPress Contact Form & Lead Form Elementor Builder plugin <= 2.0.1 - Cross Site Scripting (XSS) vulnerabilityImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeHunk Contact Form & Lead Form Elementor Builder lead-form-builder allows Stored XSS.This issue affects Contact Form & Lead Form Elementor Builder: from n/a through <= 2.0.1.
We have discovered 751 live websites that are affected by CVE-2026-32532.
Affected Software
| Product |  Lead Form Builder |
| Category | Wordpress Plugins |
| Vulnerable Domains | 751 live websites (100% of Lead Form Builder install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 35 versions ( 97% of all versions) |
Details
- Published - Mar 25, 2026
- Updated - Apr 29, 2026
Credits
- daroo | Patchstack Bug Bounty Program (finder)
CVE References
Website Distribution by Country
Number of websites using CVE-2026-32532 United States | 232 websites |
 Germany | 53 websites |
 France | 48 websites |
 GB | 31 websites |
 Netherlands | 26 websites |
 Poland | 26 websites |
 Russia | 23 websites |
 South Africa | 21 websites |
 India | 21 websites |
 Austria | 20 websites |
Website Distribution by TLD
Number of websites using CVE-2026-32532| .com | 301 websites |
| .nl | 28 websites |
| .de | 28 websites |
| .org | 26 websites |
| .fr | 22 websites |
| .at | 21 websites |
| .ru | 21 websites |
| .pl | 19 websites |
| .net | 15 websites |
| .co.uk | 14 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2026-32532
Top websites that are affected by CVE-2026-32532. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *******.info | United States | ***,*** | |
| *******.be | France | *,***,*** | |
| *********.ir |  Iran | *,***,*** | |
| ***********.tn |  Tunisia | *,***,*** | |
| ********.com | India | *,***,*** | |
| *******.**.uk | GB | *,***,*** | |
| *******.com | United States | *,***,*** | |
| *********.com | Germany | *,***,*** | |
| ************.com | United States | *,***,*** | |
| **.******.com | United States | *,***,*** |
FAQ
A total of 751 websites have been identified as vulnerable to CVE-2026-32532, based on global website indexing conducted by WebTechSurvey.
The Lead Form Builder is affected by the CVE-2026-32532 vulnerability.
Lead Form Builder versions up to and including 2.0.1 are vulnerable to CVE-2026-32532.