CVE-2025-14803

CWE-79Cross-site Scripting (XSS)4 documents4 sources
Severity
6.8MEDIUM
EPSS
0.1%
top 83.88%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Unknown Nex-forms
Timeline
PublishedJan 9

Description

The NEX-Forms WordPress plugin before 9.1.8 does not sanitise and escape some of its settings. The NEX-Forms WordPress plugin before 9.1.8 can be configured in such a way that could allow subscribers to perform Stored Cross-Site Scripting.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:HExploitability: 0.9 | Impact: 5.9

Affected Packages1 packages

CVEListV5unknown/nex-forms< 9.1.8

🔴Vulnerability Details

2
GHSA
GHSA-cp58-32qm-mgjw: The NEX-Forms WordPress plugin before 92026-01-09
CVEList
Nex-Forms Express WP Form Builder < 9.1.8 - Authenticated Stored XSS2026-01-09

🕵️Threat Intelligence

1
Wiz
CVE-2025-14803 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-14803 (MEDIUM CVSS 6.8) | The NEX-Forms WordPress plugin befo | cvebase.io