CVE-2026-5063

Name of the Vulnerable Software and Affected Versions NEX-Forms – Ultimate Forms Plugin for WordPress versions prior to 9.1.12

Description Insufficient input sanitization and output escaping in the submit nex form() function allow unauthenticated attackers to inject arbitrary web scripts via POST parameter key names. These scripts execute whenever a user accesses an affected page. This is a Stored Cross-Site Scripting issue, where malicious scripts are permanently stored on the target server.

Recommendations Update the plugin to a version later than 9.1.11. As a temporary workaround, restrict access to the submit nex form() function to minimize the risk of exploitation.