Stored Cross-Site Scripting Vulnerability in NEX-Forms Plugin for WordPress
CVE-2026-12142
7.2HIGH
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 1 July 2026
What is CVE-2026-12142?
The NEX-Forms β Ultimate Forms Plugin for WordPress allows for stored cross-site scripting due to insufficient input sanitization and output escaping, particularly via the '_name[]' array parameter. Attackers can exploit this vulnerability to inject malicious web scripts that can execute when a user accesses an affected page. The wp_kses() output filtering mechanism fails to adequately protect against such attacks, as the allow-list defined by NEXForms_allowed_tags() permits potentially harmful HTML elements and JavaScript event handlers. Users are urged to update to the latest version to mitigate these risks.
Affected Version(s)
NEX-Forms β Ultimate Forms Plugin for WordPress 0 <= 9.2.2