Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Basix NEX-Forms nex-forms-express-wp-form-builder allows Reflected XSS.This issue affects NEX-Forms: from n/a through <= 9.1.7.
Published: 2026-02-20
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

Improper neutralization of input in the NEX‑Forms WordPress plugin leads to Reflected Cross‑Site Scripting, allowing an attacker to inject and execute arbitrary JavaScript in the context of a victim’s browser. The vulnerability is classified as CWE‑79 and carries a CVSS score of 7.1, indicating moderate to high potential impact on confidentiality, integrity, and availability of the affected web application.

Affected Systems

The NEX‑Forms Express WP Form Builder plugin from Basix is affected, for all releases up to and including 9.1.7. Users running the plugin on WordPress sites with these or earlier versions are at risk.

Risk and Exploitability

The CVSS score of 7.1 reflects a significant risk, but the EPSS score of <1% indicates a relatively low probability of exploitation in the wild. The vulnerability does not require authentication and can be triggered by sending a crafted URL or form submission that contains malicious script payloads. Because it is not listed in CISA’s KEV catalog, it has not yet been widely reported as a known exploited vulnerability.

Generated by OpenCVE AI on April 27, 2026 at 20:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the NEX‑Forms plugin to version 9.1.8 or later.
  • If an immediate update is not feasible, configure the plugin or WordPress to remove or escape any script tags from user‑submitted data.
  • Use a web application firewall or content security policy to block or mitigate the execution of injected scripts.

Generated by OpenCVE AI on April 27, 2026 at 20:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Basixonline
Basixonline nex-forms
Wordpress
Wordpress wordpress
Vendors & Products Basixonline
Basixonline nex-forms
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Basix NEX-Forms nex-forms-express-wp-form-builder allows Reflected XSS.This issue affects NEX-Forms: from n/a through <= 9.1.7.
Title WordPress NEX-Forms plugin <= 9.1.7 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Basixonline Nex-forms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:52:47.770Z

Reserved: 2025-12-31T20:12:18.800Z

Link: CVE-2025-69326

cve-icon Vulnrichment

Updated: 2026-02-23T21:37:10.369Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:19.917

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-69326

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T20:45:12Z

Weaknesses