Nex Forms Ultimate Forms Plugin For Wordpress
Monthly
Stored cross-site scripting in the NEX-Forms - Ultimate Forms Plugin for WordPress (all versions through 9.2.2) lets unauthenticated attackers persist arbitrary JavaScript via the 'real_val__' form-submission parameter, which later executes in the browser of any user who views the affected page. The flaw is amplified by a design weakness: the submission handler is registered through wp_ajax_nopriv_submit_nex_form with no nonce/CSRF verification, so no authentication or valid session is required to reach the vulnerable sink. There is no public exploit identified at time of analysis and no CISA KEV listing, but the unauthenticated, network-reachable nature makes it a practical mass-exploitation candidate against exposed WordPress sites.
Stored cross-site scripting in the NEX-Forms - Ultimate Forms Plugin for WordPress (all versions through 9.2.2) lets unauthenticated attackers persist arbitrary JavaScript via the '_name[]' array parameter, which then runs in the browser of any user who views the injected page. The flaw is notable because the plugin's own wp_kses() allow-list (NEXForms_allowed_tags()) deliberately whitelists <script>, <iframe src/srcdoc>, and JS event handlers, so the normal output-filtering layer provides no protection. No public exploit identified at time of analysis; the issue was reported by Wordfence and carries a CVSS 7.2 with a changed scope.
Stored cross-site scripting in the NEX-Forms - Ultimate Forms Plugin for WordPress (all versions through 9.2.2) lets unauthenticated attackers persist arbitrary JavaScript via the 'real_val__' form-submission parameter, which later executes in the browser of any user who views the affected page. The flaw is amplified by a design weakness: the submission handler is registered through wp_ajax_nopriv_submit_nex_form with no nonce/CSRF verification, so no authentication or valid session is required to reach the vulnerable sink. There is no public exploit identified at time of analysis and no CISA KEV listing, but the unauthenticated, network-reachable nature makes it a practical mass-exploitation candidate against exposed WordPress sites.
Stored cross-site scripting in the NEX-Forms - Ultimate Forms Plugin for WordPress (all versions through 9.2.2) lets unauthenticated attackers persist arbitrary JavaScript via the '_name[]' array parameter, which then runs in the browser of any user who views the injected page. The flaw is notable because the plugin's own wp_kses() allow-list (NEXForms_allowed_tags()) deliberately whitelists <script>, <iframe src/srcdoc>, and JS event handlers, so the normal output-filtering layer provides no protection. No public exploit identified at time of analysis; the issue was reported by Wordfence and carries a CVSS 7.2 with a changed scope.