Description
The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the clean_html and form_fields parameters in all versions up to, and including, 8.9.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Custom-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-05-08
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting where authenticated Custom users can inject executable scripts into form pages
Action: Apply patch
AI Analysis

Impact

The vulnerability resides in the NEX‑Forms plugin for WordPress, due to inadequate sanitization of the clean_html and form_fields parameters. It permits an authenticated user with Custom privileges to inject malicious scripts that are stored and subsequently executed whenever the affected form page is viewed. This can lead to compromised client session data, cookie theft, defacement, or other client‑side attacks against any visitor who loads the injected page.

Affected Systems

This weakness affects all installations of the NEX‑Forms – Ultimate Forms Plugin for WordPress with version 8.9.1 or earlier. The plugin is distributed under the webaways brand and identified in the vendor list as webaways:NEX‑Forms. No later versions are known to be affected.

Risk and Exploitability

With a CVSS score of 6.4 the severity is moderate. The EPSS value is below 1 %, indicating a low current exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. An attacker would need authenticated Custom‑level access to create or edit a form; from that position they can submit malicious payloads that fulfill the stored XSS condition. Once a victim prompts a page containing the injected code, the script runs in that victim’s browser.

Generated by OpenCVE AI on April 21, 2026 at 20:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the NEX‑Forms plugin to version 8.9.2 or later, which removes the vulnerable handling of clean_html and form_fields and addresses the input validation and output escaping weakness identified as CWE‑79.
  • If an upgrade is not immediately possible, revoke Custom‑level privileges from users or restrict form management to trusted accounts to reduce the attack surface.
  • As a temporary safeguard, implement a content security policy that blocks inline scripts on form pages and limits script execution, thereby mitigating the impact of any stored XSS.

Generated by OpenCVE AI on April 21, 2026 at 20:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-14001 The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the clean_html and form_fields parameters in all versions up to, and including, 8.9.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Custom-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00034}

 epss

{'score': 0.00039}

Wed, 04 Jun 2025 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Basixonline
Basixonline nex-forms
CPEs cpe:2.3:a:basixonline:nex-forms:*:*:*:*:*:wordpress:*:*
Vendors & Products Basixonline
Basixonline nex-forms

Thu, 08 May 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 08 May 2025 11:30:00 +0000

Type Values Removed Values Added
Description The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the clean_html and form_fields parameters in all versions up to, and including, 8.9.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Custom-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.9.1 - Authenticated (Custom) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Basixonline Nex-forms
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:12:49.895Z

Reserved: 2025-04-09T11:54:37.522Z

Link: CVE-2025-3468

cve-icon Vulnrichment

Updated: 2025-05-08T13:33:27.396Z

cve-icon NVD

Status : Analyzed

Published: 2025-05-08T12:15:17.643

Modified: 2025-06-04T22:54:54.960

Link: CVE-2025-3468

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:00:36Z

Weaknesses