CVE-2025-69326

Vulnerability

Overview

The NEX-Forms plugin for WordPress (versions up to and including 9.1.7) contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw allows an attacker to inject arbitrary HTML and JavaScript into a page, which is then executed in the browser of a victim who visits a specially crafted link or page [1].

Exploitation

Prerequisites

Exploitation requires user interaction—the victim must click a malicious link, visit a crafted page, or submit a form [1]. The attacker does not need authentication to deliver the payload, but the attack relies on a privileged user (e.g., an administrator) performing the action to trigger the script execution [1]. This makes the vulnerability suitable for mass-exploit campaigns targeting thousands of websites simultaneously [1].

Impact

Successful exploitation enables an attacker to execute arbitrary scripts in the context of the victim's browser session. This can be used to redirect users to malicious sites, display advertisements, steal session cookies, or perform other actions that compromise the integrity and confidentiality of the affected WordPress site [1].

Mitigation

The vulnerability has been patched in version 9.1.8 of the plugin [1]. Users are strongly advised to update immediately. For those unable to update, Patchstack provides a mitigation rule to block attacks until the update is applied [1]. Given the active exploitation risk, this vulnerability is listed as moderately dangerous and expected to be used in mass campaigns [1].