Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Basix NEX-Forms nex-forms-express-wp-form-builder allows Stored XSS.This issue affects NEX-Forms: from n/a through <= 9.1.7.
Published: 2026-02-20
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (XSS)
Action: Patch
AI Analysis

Impact

The vulnerability results from improper neutralization of user input during web page generation, allowing attackers to store malicious scripts in the NEX‑Forms plugin. An attacker can inject JavaScript that executes when any visitor loads a page containing the compromised form, leading to credential theft, session hijacking, or defacement. This is a stored XSS flaw identified as CWE‑79, enabling persistent malicious code that renders in every page using the affected form fields.

Affected Systems

The affected product is the Basix NEX‑Forms plugin for WordPress. Any site that has the plugin installed at version 9.1.7 or earlier is potentially vulnerable. No specific operating systems are listed, as the flaw lies entirely within the plugin’s code executed on the WordPress site.

Risk and Exploitability

The CVSS score of 7.1 classifies the flaw as high severity. The EPSS score of less than 1% indicates that attacks are not commonly observed, yet the ease of exploitation—submitting a form with injected script—means the actual risk could increase if the plugin remains unpatched. The flaw is not listed in the CISA KEV, which suggests there are no confirmed exploit variants in the wild. Attackers would likely target any vulnerable site by creating a malicious form entry, which is then rendered to all visitors; no privileged access is required.

Generated by OpenCVE AI on April 27, 2026 at 20:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the NEX‑Forms plugin to a version newer than 9.1.7 that fixes the stored XSS flaw.
  • If an immediate update is not possible, disable the plugin or restrict form submissions to trusted administrators only to stop the injection of malicious scripts.
  • Deploy a web‑application‑firewall rule that sanitizes or blocks script fragments in form input fields and ensures stored form content is escaped before rendering.

Generated by OpenCVE AI on April 27, 2026 at 20:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Basixonline
Basixonline nex-forms
Wordpress
Wordpress wordpress
Vendors & Products Basixonline
Basixonline nex-forms
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Basix NEX-Forms nex-forms-express-wp-form-builder allows Stored XSS.This issue affects NEX-Forms: from n/a through <= 9.1.7.
Title WordPress NEX-Forms plugin <= 9.1.7 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Basixonline Nex-forms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:52:27.961Z

Reserved: 2025-12-31T20:12:18.800Z

Link: CVE-2025-69324

cve-icon Vulnrichment

Updated: 2026-02-23T21:37:14.085Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:19.660

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-69324

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T20:45:12Z

Weaknesses