Skip to main content

NEX-Forms WordPress Plugin Unauthenticated Stored XSS via Form Field Name (CVE-2026-12142)

Scope: NEX-Forms Ultimate Forms Plugin for WordPress Versions up to and Including 9.2.2

Severity: High

A high-severity stored cross-site scripting vulnerability in the NEX-Forms WordPress plugin allows unauthenticated attackers to inject persistent malicious JavaScript payloads through unsanitized form field name parameters, bypassing the plugin's overly permissive custom allowlist, so the injected script executes in the browser of any user who subsequently visits the affected page including administrators, enabling session hijacking, admin cookie theft, and complete site takeover. Because the vulnerable endpoint is accessible without authentication or login, any internet-accessible WordPress installation running NEX-Forms up to 9.2.2 is at risk from automated scanners. Administrators must update to version 9.2.3 or later, audit existing form submissions for injected script content, and purge any affected page caches.

The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.