Stored Cross-Site Scripting Vulnerability in NEX-Forms WordPress Plugin
CVE-2026-10525
Key Information:
Badges
What is CVE-2026-10525?
The NEX-Forms plugin for WordPress, prior to version 9.2.3, is vulnerable due to inadequate sanitization and escaping of submitted form data. This weakness can allow an attacker to inject malicious scripts that are stored and executed in the admin dashboard when high-privileged users, such as administrators, view the submitted entries. This issue underscores the importance of implementing strict data validation and sanitization measures in web applications.
Affected Version(s)
NEX-Forms 0 < 9.2.3
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V3.1
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved