Back to overview

CVE-2026-10525

Description
The NEX-Forms WordPress plugin before 9.2.3 does not sanitise and escape some submitted form data before storing it and outputting it back in the admin dashboard, leading to a Stored Cross-Site Scripting vulnerability which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks against high privilege users such as administrators when they view the submitted entries.

Metadata

CVE ID
CVE-2026-10525
State
PUBLISHED
Assigner
WPScan
Reserved
2026-06-01 09:05 UTC
Published
2026-07-17 06:00 UTC
Last updated
2026-07-17 06:00 UTC
Vendor / Product
Unknown / NEX-Forms
Sources
cve.org  ·  NVD

Severity & Metrics

No CVSS data available.

Affected products (1)
VendorProductPlatformVersions
Unknown NEX-Forms 0 < 9.2.3
Weakness (CWE)
CWESourceDescription
cna CWE-79 Cross-Site Scripting (XSS)
Back to overview