NEX-Forms WordPress Plugin Vulnerable to Stored Cross-Site Scripting (CVE-2026-5063)

The NEX-Forms – Ultimate Forms Plugin for WordPress, versions up to and including 9.1.11, is susceptible to a stored Cross-Site Scripting (XSS) vulnerability (CVE-2026-5063). This flaw stems from inadequate input sanitization and output escaping within the submit_nex_form() function. Unauthenticated attackers can exploit this vulnerability by injecting malicious JavaScript code through POST parameter key names. Successful exploitation allows the attacker to execute arbitrary scripts in the context of a user’s browser when they access a page containing the injected script, potentially leading to session hijacking, defacement, or redirection to malicious sites. The vulnerability was reported to Wordfence and a patch has been released.

Attack Chain

1. The attacker crafts a malicious HTTP POST request to a WordPress page that utilizes the vulnerable NEX-Forms plugin.
2. The POST request includes specially crafted parameter key names designed to inject JavaScript code.
3. The submit_nex_form() function processes the POST request without properly sanitizing or escaping the malicious input.
4. The injected JavaScript code is stored in the WordPress database.
5. A legitimate user accesses a page where the form data, including the malicious script, is displayed.
6. The stored JavaScript code executes within the user’s browser in the context of the WordPress page.
7. The attacker can then perform actions such as stealing cookies, redirecting the user, or modifying the page content.

Impact

Successful exploitation of this stored XSS vulnerability allows an unauthenticated attacker to inject arbitrary JavaScript code into pages using the NEX-Forms plugin. This can lead to various malicious outcomes, including user session hijacking, website defacement, or redirection to phishing sites. As the vulnerability is stored, every user who visits a page containing the malicious script will be affected until the vulnerability is patched and the malicious input is removed. The severity is rated as HIGH with a CVSS base score of 7.2.

Recommendation

• Upgrade the NEX-Forms – Ultimate Forms Plugin for WordPress to a version beyond 9.1.11 to patch CVE-2026-5063.
• Deploy the Sigma rule Detect Suspicious NEX-Forms POST Requests to identify potential exploitation attempts.
• Monitor web server logs for suspicious POST requests containing potentially malicious JavaScript code in parameter names.