Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Unauthenticated network injection with low complexity (AV:N/AC:L/PR:N); scope change (S:C) since script runs in a victim's browser, with low confidentiality/integrity impact and no availability effect.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The NEX-Forms - Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via '_name[]' Array Parameter in all versions up to, and including, 9.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The wp_kses() output filtering pass provides no mitigation because NEXForms_allowed_tags() explicitly permits <script>, <iframe src/srcdoc>, and JS event handlers such as onClick, onBlur, and onChange in its allow-list.
Articles & Coverage 1
AnalysisAI
Stored cross-site scripting in the NEX-Forms - Ultimate Forms Plugin for WordPress (all versions through 9.2.2) lets unauthenticated attackers persist arbitrary JavaScript via the '_name[]' array parameter, which then runs in the browser of any user who views the injected page. The flaw is notable because the plugin's own wp_kses() allow-list (NEXForms_allowed_tags()) deliberately whitelists <script>, <iframe src/srcdoc>, and JS event handlers, so the normal output-filtering layer provides no protection. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that a NEX-Forms form exposing the '_name[]' array parameter be reachable by the attacker (the default deployment mode for public forms), and that the attacker submit crafted markup in that parameter. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N, base 7.2) indicates network-reachable, low-complexity, unauthenticated injection with a scope change reflecting execution in a victim's browser context. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker submits a NEX-Forms form supplying a malicious '_name[]' array value containing a <script> tag or an on* event handler, which is stored verbatim because NEXForms_allowed_tags() whitelists those constructs. When a site administrator later opens the page or entry that renders the field, the script executes in their authenticated session, enabling session/cookie theft or actions performed as the admin. … |
| Remediation | Vendor-released patch: 9.2.3 - upgrade the NEX-Forms plugin to version 9.2.3 or later, which the plugins.trac changeset (old_path tags/9.2.2, new_path tags/9.2.3) identifies as the remediated release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all WordPress sites using NEX-Forms ≤9.2.2 and disable the plugin immediately. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40944
GHSA-j235-ccfg-wwpf