Skip to main content

NEX-Forms CVE-2026-57668

| EUVDEUVD-2026-43353 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-13 Patchstack
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
6.5 MEDIUM

Stored XSS in a form plugin typically needs some contributor/submission access (PR:L) and a victim rendering the payload (UI:R); scope changes (S:C) with low C/I/A confined to the browser context.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 10:53 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Basix NEX-Forms nex-forms-express-wp-form-builder allows Stored XSS.This issue affects NEX-Forms: from n/a through <= 9.2.2.

AnalysisAI

Stored cross-site scripting in Basix NEX-Forms (WordPress form-builder plugin) affects all versions up to and including 9.2.2, letting an attacker persist malicious script that executes in a victim's browser when they view the affected form or its stored data. Reported by Patchstack and scored CVSS 7.1 with a scope change, the flaw can lead to session/credential theft or admin actions within the WordPress origin. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Access NEX-Forms input surface
Delivery
Submit form data with stored XSS payload
Exploit
Payload persisted unsanitized
Execution
Admin or user renders affected form
Persist
Script executes in WordPress origin
Impact
Session/credential theft or admin actions

Vulnerability AssessmentAI

Exploitation Exploitation requires that an attacker can get script-bearing input persisted through a NEX-Forms field, form configuration, or submission, and that a victim subsequently renders that stored content (UI:R in the vector) - for example an admin viewing form entries or a user loading the affected form page. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, 7.1) marks it network-reachable, low-complexity, requiring user interaction and no privileges, with a scope change and low impact to confidentiality, integrity and availability - a typical Patchstack stored-XSS profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits a form or form field containing a crafted script payload that NEX-Forms stores without adequate sanitization; when an administrator later opens the form entries or the affected page in the WordPress dashboard, the script executes in their authenticated session (UI:R). Given low complexity and network reachability, the attacker can attempt to steal the admin session cookie or perform actions as that user. …
Remediation Upgrade NEX-Forms to a release later than 9.2.2 once the vendor publishes a fixed build; consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/nex-forms-express-wp-form-builder/vulnerability/wordpress-nex-forms-plugin-9-2-2-cross-site-scripting-xss-vulnerability) for the exact patched version, which is not stated in the available data - No vendor-released patch version identified at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, audit all WordPress installations for Basix NEX-Forms deployment and current version (vulnerable if ≤9.2.2); immediately disable the plugin if operationally feasible or restrict WordPress administrator access to trusted networks via IP allowlist. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2022-3142 HIGH POC
8.8 Sep 19

The NEX-Forms WordPress plugin before 7.9.7 does not properly sanitise and escape user input before using it in SQL stat

CVE-2021-34676 HIGH POC
7.5 Jul 19

Basix NEX-Forms through 7.8.7 allows authentication bypass for Excel report generation. Rated high severity (CVSS 7.5),

CVE-2021-34675 HIGH POC
7.5 Jul 19

Basix NEX-Forms through 7.8.7 allows authentication bypass for stored PDF reports. Rated high severity (CVSS 7.5), this

CVE-2023-2114 HIGH POC
7.2 May 08

The NEX-Forms WordPress plugin before 8.4 does not properly escape the `table` parameter, which is populated with user i

CVE-2023-0272 MEDIUM POC
5.4 Mar 27

The NEX-Forms WordPress plugin before 8.3.3 does not validate and escape some of its shortcode attributes before outputt

CVE-2021-24705 MEDIUM POC
4.8 Dec 13

The NEX-Forms WordPress plugin before 8.4.3 does not have CSRF checks in place when editing a form, and does not escape

CVE-2023-50838 HIGH
7.6 Dec 28

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Basix NEX-Forms -

CVE-2024-25593 MEDIUM
6.5 Mar 15

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Basix NEX-Forms -

CVE-2025-3468 MEDIUM
6.4 May 08

The NEX-Forms - Ultimate Form Builder - Contact forms and much more plugin for WordPress is vulnerable to Stored Cross-S

CVE-2025-4208 MEDIUM
6.3 May 08

The NEX-Forms - Ultimate Form Builder - Contact forms and much more plugin for WordPress is vulnerable to Limited Code E

CVE-2020-36670 MEDIUM
6.3 Mar 07

The NEX-Forms. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. This

CVE-2024-0907 MEDIUM
5.3 Feb 29

The NEX-Forms - Ultimate Form Builder - Contact forms and much more plugin for WordPress is vulnerable to unauthorized a

Share

CVE-2026-57668 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy