Stored Cross-Site Scripting Vulnerability in NEX-Forms Plugin for WordPress
CVE-2026-5063

7.2HIGH

Key Information:

Vendor: WordPress
Status: Nex-forms – Ultimate Forms Plugin For WordPress
Vendor: CVE Published:; 3 May 2026

What is CVE-2026-5063?

The NEX-Forms – Ultimate Forms Plugin for WordPress contains a vulnerability allowing stored cross-site scripting (XSS) through inadequate input sanitization and output escaping. Attackers can exploit this flaw by injecting arbitrary scripts via the POST parameter key names in the submit_nex_form() function. When users access a compromised page, these malicious scripts can execute, posing significant risks to security and user data. Maintaining up-to-date versions and implementing proper security measures is essential to safeguard against such threats.

Affected Version(s)

NEX-Forms – Ultimate Forms Plugin for WordPress 0 <= 9.1.11

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3513524/nex-...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 3, 2026
Vulnerability Reserved
Mar 27, 2026

Credit

Naoya Takahashi

CVE-2026-5063 Data

JSON