WordPress Plugin Vulnerabilities

NEX-Forms – Ultimate Form Builder – Contact forms and much more < 8.9.2 - Authenticated (Custom) Stored Cross-Site Scripting

Description

The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the clean_html and form_fields parameters in all versions up to, and including, 8.9.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Custom-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
nex-forms-express-wp-form-builder
Fixed in 8.9.2

References

CVE
CVE-2025-3468
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/a33a7ba5-c6f8-4cf4-8011-8312e9c5da8f

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
m3ssap0
Verified
No
WPVDB ID
48b392ad-3fcc-41f4-90a2-799e19049d97

Timeline

Publicly Published
2025-05-07 (about 1 year ago)
Added
2025-05-07 (about 1 year ago)
Last Updated
2025-05-08 (about 1 year ago)

Other

Published
Title
Published
2025-01-28
Title
Divi Torque Lite < 4.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
Published
2025-09-30
Title
Rock Convert <= 3.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-03-30
Title
Premmerce Redirect Manager < 1.0.12 - Admin+ Stored XSS
Published
2025-10-21
Title
Responsive Progress Bar <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-01-20
Title
Image Hover Effects For WPBakery Page Builder < 5.0 - Contributor+ Stored XSS