The NEX-Forms WordPress plugin before 9.2.3 does not sanitise and escape some submitted form data before storing it and outputting it back in the admin dashboard, leading to a Stored Cross-Site Scripting vulnerability which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks against high privilege users such as administrators when they view the submitted entries.
Project Subscriptions
No data.
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Fri, 17 Jul 2026 15:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-79 | |
| Metrics |
cvssV3_1
|
Fri, 17 Jul 2026 06:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The NEX-Forms WordPress plugin before 9.2.3 does not sanitise and escape some submitted form data before storing it and outputting it back in the admin dashboard, leading to a Stored Cross-Site Scripting vulnerability which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks against high privilege users such as administrators when they view the submitted entries. | |
| Title | NEX-Forms < 9.2.3 - Unauthenticated Stored XSS via Form Submission | |
| References |
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: WPScan
Published:
Updated: 2026-07-17T14:50:27.413Z
Reserved: 2026-06-01T09:05:50.251Z
Link: CVE-2026-10525
Updated: 2026-07-17T14:50:21.523Z
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses