Skip to main content

NEX-Forms EUVDEUVD-2026-40944

| CVE-2026-12142 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-01 Wordfence GHSA-j235-ccfg-wwpf
7.2
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
7.2 HIGH

Unauthenticated network injection with low complexity (AV:N/AC:L/PR:N); scope change (S:C) since script runs in a victim's browser, with low confidentiality/integrity impact and no availability effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 01, 2026 - 11:05 vuln.today
CVE Published
Jul 01, 2026 - 09:32 cve.org
HIGH 7.2

DescriptionCVE.org

The NEX-Forms - Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via '_name[]' Array Parameter in all versions up to, and including, 9.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The wp_kses() output filtering pass provides no mitigation because NEXForms_allowed_tags() explicitly permits <script>, <iframe src/srcdoc>, and JS event handlers such as onClick, onBlur, and onChange in its allow-list.

AnalysisAI

Stored cross-site scripting in the NEX-Forms - Ultimate Forms Plugin for WordPress (all versions through 9.2.2) lets unauthenticated attackers persist arbitrary JavaScript via the '_name[]' array parameter, which then runs in the browser of any user who views the injected page. The flaw is notable because the plugin's own wp_kses() allow-list (NEXForms_allowed_tags()) deliberately whitelists <script>, <iframe src/srcdoc>, and JS event handlers, so the normal output-filtering layer provides no protection. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Locate public NEX-Forms form
Delivery
Submit _name[] with script payload
Exploit
Payload stored past wp_kses allow-list
Execution
Admin/user opens injected page
Persist
Script executes in victim session
Impact
Steal session or perform admin actions

Vulnerability AssessmentAI

Exploitation Exploitation requires that a NEX-Forms form exposing the '_name[]' array parameter be reachable by the attacker (the default deployment mode for public forms), and that the attacker submit crafted markup in that parameter. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N, base 7.2) indicates network-reachable, low-complexity, unauthenticated injection with a scope change reflecting execution in a victim's browser context. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker submits a NEX-Forms form supplying a malicious '_name[]' array value containing a <script> tag or an on* event handler, which is stored verbatim because NEXForms_allowed_tags() whitelists those constructs. When a site administrator later opens the page or entry that renders the field, the script executes in their authenticated session, enabling session/cookie theft or actions performed as the admin. …
Remediation Vendor-released patch: 9.2.3 - upgrade the NEX-Forms plugin to version 9.2.3 or later, which the plugins.trac changeset (old_path tags/9.2.2, new_path tags/9.2.3) identifies as the remediated release. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all WordPress sites using NEX-Forms ≤9.2.2 and disable the plugin immediately. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40944 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy