This vulnerability in eyale-vc's Contact Form Builder by vcita (up to version 4.10.2) involves improper neutralization of input during web page generation, leading to a DOM-based Cross-site Scripting (XSS) issue. An attacker with low privileges can exploit this by tricking a user into interacting with crafted content, potentially resulting in limited impact on confidentiality, integrity, and availability. The CVSS 3.1 base score is 6.5, reflecting medium severity with network attack vector, low attack complexity, required privileges, and user interaction.

Successful exploitation could allow an attacker to execute arbitrary scripts in the context of the victim's browser session, potentially leading to limited disclosure or modification of information and some disruption of service. The impact is rated medium due to the requirement of user interaction and low privileges needed for the attack.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should exercise caution with untrusted input and consider applying any available temporary mitigations recommended by the vendor once published.