Stored Cross-Site Scripting in NEX-Forms Plugin for WordPress
CVE-2026-13040
7.2HIGH
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 3 July 2026
What is CVE-2026-13040?
The NEX-Forms β Ultimate Forms Plugin for WordPress is susceptible to Stored Cross-Site Scripting due to inadequate input sanitization on the 'real_val__' parameter. This vulnerability allows unauthenticated attackers to inject malicious web scripts into pages, which get executed when users visit the affected pages. Additionally, the submission endpoint does not require nonce verification, making it susceptible to attacks without needing any CSRF token, further increasing the risk of exploitation.
Affected Version(s)
NEX-Forms β Ultimate Forms Plugin for WordPress 0 <= 9.2.2