CVE-2025-3468 — Cross-site Scripting in Nex-forms

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

5.4MEDIUMNVD

CNA6.4

EPSS

0.1%

top 68.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Basixonline Nex-forms Webaways Nex-forms Ultimate Forms Plugin FOR Wordpress

Timeline

PublishedMay 8

Description

The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the clean_html and form_fields parameters in all versions up to, and including, 8.9.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Custom-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5webaways/nex-forms_ultimate_forms_plugin_for_wordpress8.9.1

▶NVDbasixonline/nex-forms< 8.9.2

🔴Vulnerability Details

CVEList

NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.9.1 - Authenticated (Custom) Stored Cross-Site Scripting↗2025-05-08

▶

GHSA

GHSA-pq56-qw5r-672m: The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the clean_ht↗2025-05-08

▶