CVE-2026-5063

CVE-2026-5063 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, in the NEX-Forms – Ultimate Forms Plugin for WordPress. It affects versions up to and including 9.1.11, stemming from insufficient input sanitization and output escaping of POST parameter key names in the submit_nex_form() function. This flaw enables the injection of arbitrary web scripts into pages. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and changed scope.

Unauthenticated attackers can exploit this vulnerability remotely by submitting forms with malicious POST parameter key names containing scripts. Once injected, the scripts persist in stored form data and execute in users' browsers whenever they access the affected pages, potentially compromising visitor sessions, stealing sensitive data, or enabling further attacks like account takeovers.

Mitigation details are available in the WordPress plugin trac changeset 3513524 at https://plugins.trac.wordpress.org/changeset/3513524/nex-forms-express-wp-form-builder, which addresses the issue. Wordfence provides additional threat intelligence, including exploitation details, at https://www.wordfence.com/threat-intel/vulnerabilities/id/9bac82ee-55bf-4381-b441-115a675e4834?source=cve. Security practitioners should update to a patched version beyond 9.1.11 and sanitize form inputs as a defense-in-depth measure.