Stored Cross-Site Scripting Vulnerability in NEX-Forms WordPress Plugin
CVE-2026-10525

6.1MEDIUM

Key Information:

Vendor

WordPress

Status
Vendor
CVE Published:
17 July 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2026-10525?

The NEX-Forms plugin for WordPress, prior to version 9.2.3, is vulnerable due to inadequate sanitization and escaping of submitted form data. This weakness can allow an attacker to inject malicious scripts that are stored and executed in the admin dashboard when high-privileged users, such as administrators, view the submitted entries. This issue underscores the importance of implementing strict data validation and sanitization measures in web applications.

Affected Version(s)

NEX-Forms 0 < 9.2.3

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

References

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Sandiyo Christan
WPScan
.