Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

CVE-2026-10525: CWE-79 Cross-Site Scripting (XSS) in NEX-Forms

0
High
VulnerabilityCVE-2026-10525cvecve-2026-10525cwe-79
Published: 07/17/2026 (07/17/2026, 06:00:01 UTC)
Source: CVE Database V5
Product: NEX-Forms

Description

NEX-Forms WordPress plugin versions before 9.2.3 contain a stored Cross-Site Scripting (XSS) vulnerability. This occurs because some submitted form data is not properly sanitized or escaped before being stored and displayed in the admin dashboard. Unauthenticated users can exploit this flaw to inject malicious scripts that execute when high privilege users, such as administrators, view the submitted entries. This vulnerability can lead to unauthorized script execution within the context of the admin dashboard.

Affected software

Affected versions
<9.2.3

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/17/2026, 07:55:35 UTC

Technical Analysis

The NEX-Forms WordPress plugin prior to version 9.2.3 suffers from a stored Cross-Site Scripting (CWE-79) vulnerability. The plugin fails to sanitize and escape certain submitted form data before storing it and rendering it back in the administrative interface. This allows unauthenticated attackers to inject malicious scripts into form submissions, which are then executed in the browsers of administrators or other high privilege users when viewing the entries. No CVSS score or official remediation guidance is currently provided, and no known exploits in the wild have been reported.

Potential Impact

Successful exploitation allows unauthenticated attackers to perform stored XSS attacks against high privilege users, potentially leading to session hijacking, privilege escalation, or other malicious actions within the admin dashboard context. This compromises the integrity and security of the administrative interface and could lead to further system compromise.

Mitigation Recommendations

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to the admin dashboard to trusted users only and consider applying web application firewall rules to detect and block malicious input patterns targeting form submissions. Monitor vendor channels for updates regarding patches or official mitigations.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Data Version
5.2
Assigner Short Name
WPScan
Date Reserved
2026-06-01T09:05:50.251Z
Cvss Version
null
State
PUBLISHED
Remediation Level
null

Threat ID: 6a59dfe668715ace439a8cec

Added to database: 07/17/2026, 07:55:18 UTC

Last enriched: 07/17/2026, 07:55:35 UTC

Last updated: 07/17/2026, 08:07:39 UTC

Views: 2

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses