{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-5063/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-5063"}],"_cs_exploited":false,"_cs_products":["NEX-Forms – Ultimate Forms Plugin for WordPress plugin \u003c= 9.1.11"],"_cs_severities":["medium"],"_cs_tags":["wordpress","xss","stored-xss","cve-2026-5063"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe NEX-Forms – Ultimate Forms Plugin for WordPress, versions up to and including 9.1.11, is susceptible to a stored Cross-Site Scripting (XSS) vulnerability (CVE-2026-5063). This flaw stems from inadequate input sanitization and output escaping within the \u003ccode\u003esubmit_nex_form()\u003c/code\u003e function. Unauthenticated attackers can exploit this vulnerability by injecting malicious JavaScript code through POST parameter key names. Successful exploitation allows the attacker to execute arbitrary scripts in the context of a user\u0026rsquo;s browser when they access a page containing the injected script, potentially leading to session hijacking, defacement, or redirection to malicious sites. The vulnerability was reported to Wordfence and a patch has been released.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request to a WordPress page that utilizes the vulnerable NEX-Forms plugin.\u003c/li\u003e\n\u003cli\u003eThe POST request includes specially crafted parameter key names designed to inject JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esubmit_nex_form()\u003c/code\u003e function processes the POST request without properly sanitizing or escaping the malicious input.\u003c/li\u003e\n\u003cli\u003eThe injected JavaScript code is stored in the WordPress database.\u003c/li\u003e\n\u003cli\u003eA legitimate user accesses a page where the form data, including the malicious script, is displayed.\u003c/li\u003e\n\u003cli\u003eThe stored JavaScript code executes within the user\u0026rsquo;s browser in the context of the WordPress page.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform actions such as stealing cookies, redirecting the user, or modifying the page content.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this stored XSS vulnerability allows an unauthenticated attacker to inject arbitrary JavaScript code into pages using the NEX-Forms plugin. This can lead to various malicious outcomes, including user session hijacking, website defacement, or redirection to phishing sites. As the vulnerability is stored, every user who visits a page containing the malicious script will be affected until the vulnerability is patched and the malicious input is removed. The severity is rated as HIGH with a CVSS base score of 7.2.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the NEX-Forms – Ultimate Forms Plugin for WordPress to a version beyond 9.1.11 to patch CVE-2026-5063.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious NEX-Forms POST Requests\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests containing potentially malicious JavaScript code in parameter names.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-03T06:15:57Z","date_published":"2026-05-03T06:15:57Z","id":"/briefs/2026-05-wordpress-nex-forms-xss/","summary":"The NEX-Forms WordPress plugin is vulnerable to stored XSS via POST parameter key names, allowing unauthenticated attackers to inject arbitrary web scripts.","title":"NEX-Forms WordPress Plugin Vulnerable to Stored Cross-Site Scripting (CVE-2026-5063)","url":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-nex-forms-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-5063","version":"https://jsonfeed.org/version/1.1"}