Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Basix NEX-Forms LITE nex-forms-lite allows Reflected XSS.This issue affects NEX-Forms LITE: from n/a through < 8.2.
Published: 2025-10-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of user‑controlled input in Basix NEX‑Forms LITE results in a reflected cross‑site scripting (XSS) flaw. The vulnerability allows an attacker to inject malicious JavaScript into a page that is rendered for another user. Depending on the context, this could enable theft of session cookies, defacement, or redirection to phishing sites.

Affected Systems

WordPress sites that have installed the NEX‑Forms LITE plugin in any version older than 8.2 are affected. The plugin is maintained by Basix and can be found under the NEX‑Forms LITE product tag. No specific minor releases are listed beyond the <8.2 threshold.

Risk and Exploitability

The CVSS v3.1 baselined score of 7.1 indicates moderate severity, while the EPSS score of less than 1% shows a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the flaw by directing a visitor to a crafted URL or form submission that includes malicious input, and the reflected script executes in the victim’s browser, potentially allowing data exfiltration or further phishing. Since the flaw is an input‑validation issue, it can be exploited from any network without privileged access, but it requires a victim to view an affected page.

Generated by OpenCVE AI on April 29, 2026 at 23:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NEX‑Forms LITE to version 8.2 or later.
  • Apply a strict Content Security Policy to block inline script execution.
  • Disable or remove the plugin from the site if it is no longer required.

Generated by OpenCVE AI on April 29, 2026 at 23:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Basixonline
Basixonline nex-forms
Wordpress
Wordpress wordpress
Vendors & Products Basixonline
Basixonline nex-forms
Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Basix NEX-Forms LITE nex-forms-lite allows Reflected XSS.This issue affects NEX-Forms LITE: from n/a through < 8.2.
Title WordPress NEX-Forms LITE plugin < 8.2 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Basixonline Nex-forms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:50.771Z

Reserved: 2025-09-06T04:45:10.578Z

Link: CVE-2025-58966

cve-icon Vulnrichment

Updated: 2025-10-23T13:45:12.662Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:15:52.960

Modified: 2026-04-27T20:16:22.960

Link: CVE-2025-58966

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T23:45:16Z

Weaknesses