Stored Cross-Site Scripting in NEX-Forms Plugin for WordPress
CVE-2026-13040

7.2HIGH

What is CVE-2026-13040?

The NEX-Forms – Ultimate Forms Plugin for WordPress is susceptible to Stored Cross-Site Scripting due to inadequate input sanitization on the 'real_val__' parameter. This vulnerability allows unauthenticated attackers to inject malicious web scripts into pages, which get executed when users visit the affected pages. Additionally, the submission endpoint does not require nonce verification, making it susceptible to attacks without needing any CSRF token, further increasing the risk of exploitation.

Affected Version(s)

NEX-Forms – Ultimate Forms Plugin for WordPress 0 <= 9.2.2

References

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Taichi Kashimura
.