Description
The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via '_name[]' Array Parameter in all versions up to, and including, 9.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The wp_kses() output filtering pass provides no mitigation because NEXForms_allowed_tags() explicitly permits <script>, <iframe src/srcdoc>, and JS event handlers such as onClick, onBlur, and onChange in its allow-list.
Published: 2026-07-01
Score: 7.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in NEX‑Forms – Ultimate Forms Plugin for WordPress allows attackers to store malicious JavaScript in the database via the '_name[]' array parameter. It is inferred that the stored script executes whenever a user accesses the affected page, delivering the payload to all site visitors. This stored Cross‑Site Scripting flaw (CWE‑79) enables execution of arbitrary scripts, which can compromise the confidentiality and integrity of user sessions.

Affected Systems

The affected product is the official NEX‑Forms plugin for WordPress by Webaways, with all versions up to and including 9.2.2 impacted. The recommendation is to verify the plugin version; a version upgrade to 9.2.3 or later removes the vulnerability.

Risk and Exploitability

The CVSS score of 7.2 classifies this as a high‑severity flaw. Because the attack requires no authentication and the payload can be persisted for all users, the risk of successful exploitation is significant. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The documented exploitation path—submitting a malicious value via the '_name[]' parameter and having it rendered in subsequent page views—implies that attackers can easily craft and deploy attacks without privileges, posing a real threat to site visitors.

Generated by OpenCVE AI on July 2, 2026 at 10:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the NEX‑Forms plugin to version 9.2.3 or later, which removes the permissive tag allow‑list and sanitizes the '_name[]' input.
  • If an immediate upgrade is not possible, temporarily disable or remove the affected form on the site to prevent script storage and execution.
  • Configure a Web Application Firewall or security plugin that blocks stored XSS payloads, and enforce strict input validation on all form fields.

Generated by OpenCVE AI on July 2, 2026 at 10:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/9.1.10/includes/classes/class.db.php#L2660 cve-icon
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/9.1.10/includes/classes/class.db.php#L2809 cve-icon
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/9.1.10/includes/classes/class.functions.php#L2343 cve-icon
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/9.1.10/main.php#L2660 cve-icon
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/9.1.10/main.php#L2720 cve-icon
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/9.1.10/main.php#L2903 cve-icon
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/9.2.2/includes/classes/class.db.php#L2660 cve-icon
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/9.2.2/includes/classes/class.db.php#L2809 cve-icon
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/9.2.2/includes/classes/class.functions.php#L2343 cve-icon
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/9.2.2/main.php#L2660 cve-icon
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/9.2.2/main.php#L2720 cve-icon
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/9.2.2/main.php#L2903 cve-icon
https://plugins.trac.wordpress.org/changeset?old_path=%2Fnex-forms-express-wp-form-builder/tags/9.2.2&new_path=%2Fnex-forms-express-wp-form-builder/tags/9.2.3 cve-icon
https://www.wordfence.com/threat-intel/vulnerabilities/id/da235dea-4884-4e6a-a8b8-65d34f050684?source=cve cve-icon
History

Wed, 01 Jul 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 10:45:00 +0000

Type Values Removed Values Added
Description The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via '_name[]' Array Parameter in all versions up to, and including, 9.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The wp_kses() output filtering pass provides no mitigation because NEXForms_allowed_tags() explicitly permits <script>, <iframe src/srcdoc>, and JS event handlers such as onClick, onBlur, and onChange in its allow-list.
Title NEX-Forms <= 9.2.2 - Unauthenticated Stored Cross-Site Scripting via '_name[]' Array Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-07-01T12:19:42.554Z

Reserved: 2026-06-12T17:32:40.310Z

Link: CVE-2026-12142

cve-icon Vulnrichment

Updated: 2026-07-01T12:19:38.029Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T10:45:03Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')