CVE-2026-10525
Description
The NEX-Forms WordPress plugin before 9.2.3 does not sanitise and escape some submitted form data before storing it and outputting it back in the admin dashboard, leading to a Stored Cross-Site Scripting vulnerability which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks against high privilege users such as administrators when they view the submitted entries.
Metadata
Severity & Metrics
No CVSS data available.
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| Unknown | NEX-Forms | — | 0 < 9.2.3 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| — | cna | CWE-79 Cross-Site Scripting (XSS) |