NEX-Forms - Ultimate Form Builder
Moderate fix1 remedy
cpe:2.3:a:nex-forms_-_ultimate_form_builder_project:nex-forms_-_ultimate_form_builder:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 8.9.1
NEX-Forms WordPress Plugin Stored Cross-Site Scripting Vulnerability
Vulnerability
Patched
A stored cross-site scripting vulnerability has been identified in the NEX-Forms WordPress plugin, specifically in the 'Ultimate Form Builder - Contact forms and much more' version 8.9.1 and earlier. This vulnerability arises from inadequate input sanitization and output escaping, allowing authenticated attackers with Custom-level access to inject arbitrary scripts into pages. The injected scripts are executed when users access the compromised pages.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page.
Reproduction
To reproduce this vulnerability, an authenticated user with Custom-level access can inject scripts through the 'clean_html' and 'form_fields' parameters. The injected scripts will be executed when the page is accessed by a user.
Remediation
Users are advised to update the NEX-Forms WordPress plugin to version 8.9.2 or a newer patched version.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
3.4impact
1.3exploitability
6.4remediation
7.7relevance
0.0threat
4.8urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.