Impact
The vulnerability in NEX‑Forms – Ultimate Forms Plugin for WordPress allows attackers to store malicious JavaScript in the database via the '_name[]' array parameter. It is inferred that the stored script executes whenever a user accesses the affected page, delivering the payload to all site visitors. This stored Cross‑Site Scripting flaw (CWE‑79) enables execution of arbitrary scripts, which can compromise the confidentiality and integrity of user sessions.
Affected Systems
The affected product is the official NEX‑Forms plugin for WordPress by Webaways, with all versions up to and including 9.2.2 impacted. The recommendation is to verify the plugin version; a version upgrade to 9.2.3 or later removes the vulnerability.
Risk and Exploitability
The CVSS score of 7.2 classifies this as a high‑severity flaw. Because the attack requires no authentication and the payload can be persisted for all users, the risk of successful exploitation is significant. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The documented exploitation path—submitting a malicious value via the '_name[]' parameter and having it rendered in subsequent page views—implies that attackers can easily craft and deploy attacks without privileges, posing a real threat to site visitors.
OpenCVE Enrichment