Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from Vendor (WPScan) · only source for this CVE.
CVSS VectorVendor: WPScan
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The NEX-Forms WordPress plugin before 9.2.3 does not sanitise and escape some submitted form data before storing it and outputting it back in the admin dashboard, leading to a Stored Cross-Site Scripting vulnerability which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks against high privilege users such as administrators when they view the submitted entries.
Analysis
The NEX-Forms WordPress plugin before 9.2.3 does not sanitise and escape some submitted form data before storing it and outputting it back in the admin dashboard, leading to a Stored Cross-Site Scripting vulnerability which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks against high privilege users such as administrators when they view the submitted entries.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Threat intelligence, references, and detailed analysis are available after sign-in.
The NEX-Forms WordPress plugin before 7.9.7 does not properly sanitise and escape user input before using it in SQL stat
Basix NEX-Forms through 7.8.7 allows authentication bypass for Excel report generation. Rated high severity (CVSS 7.5),
Basix NEX-Forms through 7.8.7 allows authentication bypass for stored PDF reports. Rated high severity (CVSS 7.5), this
The NEX-Forms WordPress plugin before 8.4 does not properly escape the `table` parameter, which is populated with user i
The NEX-Forms WordPress plugin before 8.3.3 does not validate and escape some of its shortcode attributes before outputt
The NEX-Forms WordPress plugin before 8.4.3 does not have CSRF checks in place when editing a form, and does not escape
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Basix NEX-Forms -
Stored cross-site scripting in Basix NEX-Forms (WordPress form-builder plugin) affects all versions up to and including
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Basix NEX-Forms -
The NEX-Forms - Ultimate Form Builder - Contact forms and much more plugin for WordPress is vulnerable to Stored Cross-S
The NEX-Forms - Ultimate Form Builder - Contact forms and much more plugin for WordPress is vulnerable to Limited Code E
The NEX-Forms. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. This
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45144
GHSA-cfgv-8pp3-f8p8