Stored Cross-Site Scripting Vulnerability in NEX-Forms Plugin for WordPress
CVE-2026-12142

7.2HIGH

What is CVE-2026-12142?

The NEX-Forms – Ultimate Forms Plugin for WordPress allows for stored cross-site scripting due to insufficient input sanitization and output escaping, particularly via the '_name[]' array parameter. Attackers can exploit this vulnerability to inject malicious web scripts that can execute when a user accesses an affected page. The wp_kses() output filtering mechanism fails to adequately protect against such attacks, as the allow-list defined by NEXForms_allowed_tags() permits potentially harmful HTML elements and JavaScript event handlers. Users are urged to update to the latest version to mitigate these risks.

Affected Version(s)

NEX-Forms – Ultimate Forms Plugin for WordPress 0 <= 9.2.2

References

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Anthony Cihan (Hann1bl3L3ct3r)
.