Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Stored XSS in a form plugin typically needs some contributor/submission access (PR:L) and a victim rendering the payload (UI:R); scope changes (S:C) with low C/I/A confined to the browser context.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Basix NEX-Forms nex-forms-express-wp-form-builder allows Stored XSS.This issue affects NEX-Forms: from n/a through <= 9.2.2.
AnalysisAI
Stored cross-site scripting in Basix NEX-Forms (WordPress form-builder plugin) affects all versions up to and including 9.2.2, letting an attacker persist malicious script that executes in a victim's browser when they view the affected form or its stored data. Reported by Patchstack and scored CVSS 7.1 with a scope change, the flaw can lead to session/credential theft or admin actions within the WordPress origin. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that an attacker can get script-bearing input persisted through a NEX-Forms field, form configuration, or submission, and that a victim subsequently renders that stored content (UI:R in the vector) - for example an admin viewing form entries or a user loading the affected form page. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, 7.1) marks it network-reachable, low-complexity, requiring user interaction and no privileges, with a scope change and low impact to confidentiality, integrity and availability - a typical Patchstack stored-XSS profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker submits a form or form field containing a crafted script payload that NEX-Forms stores without adequate sanitization; when an administrator later opens the form entries or the affected page in the WordPress dashboard, the script executes in their authenticated session (UI:R). Given low complexity and network reachability, the attacker can attempt to steal the admin session cookie or perform actions as that user. … |
| Remediation | Upgrade NEX-Forms to a release later than 9.2.2 once the vendor publishes a fixed build; consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/nex-forms-express-wp-form-builder/vulnerability/wordpress-nex-forms-plugin-9-2-2-cross-site-scripting-xss-vulnerability) for the exact patched version, which is not stated in the available data - No vendor-released patch version identified at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, audit all WordPress installations for Basix NEX-Forms deployment and current version (vulnerable if ≤9.2.2); immediately disable the plugin if operationally feasible or restrict WordPress administrator access to trusted networks via IP allowlist. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
The NEX-Forms WordPress plugin before 7.9.7 does not properly sanitise and escape user input before using it in SQL stat
Basix NEX-Forms through 7.8.7 allows authentication bypass for Excel report generation. Rated high severity (CVSS 7.5),
Basix NEX-Forms through 7.8.7 allows authentication bypass for stored PDF reports. Rated high severity (CVSS 7.5), this
The NEX-Forms WordPress plugin before 8.4 does not properly escape the `table` parameter, which is populated with user i
The NEX-Forms WordPress plugin before 8.3.3 does not validate and escape some of its shortcode attributes before outputt
The NEX-Forms WordPress plugin before 8.4.3 does not have CSRF checks in place when editing a form, and does not escape
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Basix NEX-Forms -
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Basix NEX-Forms -
The NEX-Forms - Ultimate Form Builder - Contact forms and much more plugin for WordPress is vulnerable to Stored Cross-S
The NEX-Forms - Ultimate Form Builder - Contact forms and much more plugin for WordPress is vulnerable to Limited Code E
The NEX-Forms. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. This
The NEX-Forms - Ultimate Form Builder - Contact forms and much more plugin for WordPress is vulnerable to unauthorized a
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43353