VYPR

Nex Forms Express Wp Form Builder

by WordPress

Source repositories

CVEs (5)

  • CVE-2025-14803MedJan 9, 2026
    risk 0.44cvss 6.8epss 0.00

    The NEX-Forms WordPress plugin before 9.1.8 does not sanitise and escape some of its settings. The NEX-Forms WordPress plugin before 9.1.8 can be configured in such a way that could allow subscribers to perform Stored Cross-Site Scripting.

  • CVE-2026-5063HigMay 3, 2026
    risk 0.40cvss 7.2epss 0.00

    The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via POST parameter key names in the submit_nex_form() function in versions up to, and including, 9.1.11 due to insufficient input sanitization and output…

  • CVE-2025-15510MedJan 31, 2026
    risk 0.34cvss 5.3epss 0.00

    The NEX-Forms – Ultimate Forms Plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the NF5_Export_Forms class constructor in all versions up to, and including, 9.1.8. This makes it possible for unauthenticated attackers to…

  • CVE-2024-13498MedMar 12, 2025
    risk 0.27cvss 5.3epss 0.00

    The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 8.8.1 via file uploads due to insufficient directory listing prevention and lack of randomization of…

  • CVE-2015-9452Oct 7, 2019
    risk 0.00cvss epss 0.02

    The nex-forms-express-wp-form-builder plugin before 4.6.1 for WordPress has SQL injection via the wp-admin/admin.php?page=nex-forms-main nex_forms_Id parameter.