Unknown Nex-Forms vulnerabilities

5 known vulnerabilities affecting unknown/nex-forms.

Total CVEs
5
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH1MEDIUM4

Vulnerabilities

Page 1 of 1
CVE-2025-14803MEDIUMCVSS 6.8fixed in 9.1.82026-01-09
CVE-2025-14803 [MEDIUM] CWE-79 CVE-2025-14803: The NEX-Forms WordPress plugin before 9.1.8 does not sanitise and escape some of its settings. The The NEX-Forms WordPress plugin before 9.1.8 does not sanitise and escape some of its settings. The NEX-Forms WordPress plugin before 9.1.8 can be configured in such a way that could allow subscribers to perform Stored Cross-Site Scripting.
cvelistv5nvd
CVE-2023-0439MEDIUMCVSS 5.4fixed in 8.4.42023-07-17
CVE-2023-0439 [MEDIUM] CWE-79 CVE-2023-0439: The NEX-Forms WordPress plugin before 8.4.4 does not escape its form name, which could lead to Store The NEX-Forms WordPress plugin before 8.4.4 does not escape its form name, which could lead to Stored Cross-Site Scripting issues. By default only SuperAdmins (in multisite) / admins (in single site) can create forms, however there is a settings allowing them to give lower roles access to such feature.
cvelistv5nvd
CVE-2023-2114HIGHCVSS 7.2fixed in 8.42023-05-08
CVE-2023-2114 [HIGH] CWE-89 CVE-2023-2114: The NEX-Forms WordPress plugin before 8.4 does not properly escape the `table` parameter, which is p The NEX-Forms WordPress plugin before 8.4 does not properly escape the `table` parameter, which is populated with user input, before concatenating it to an SQL query.
cvelistv5nvd
CVE-2023-0272MEDIUMCVSS 5.4fixed in 8.3.32023-03-27
CVE-2023-0272 [MEDIUM] CWE-79 CVE-2023-0272: The NEX-Forms WordPress plugin before 8.3.3 does not validate and escape some of its shortcode attri The NEX-Forms WordPress plugin before 8.3.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
cvelistv5nvd
CVE-2021-24705MEDIUMCVSS 4.8fixed in 8.4.32021-12-13
CVE-2021-24705 [MEDIUM] CWE-79 CVE-2021-24705: The NEX-Forms WordPress plugin before 8.4.3 does not have CSRF checks in place when editing a form, The NEX-Forms WordPress plugin before 8.4.3 does not have CSRF checks in place when editing a form, and does not escape some of its settings as well as form fields before outputting them in attributes. This could allow attackers to make a logged in admin edit arbitrary forms with Cross-Site Scripting payloads in them
cvelistv5nvd