CVE-2025-14803
BaseFortify
Publication date: 2026-01-09
Last updated on: 2026-01-09
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nex-forms | nex-forms | to 9.1.8 (exc) |
| nex-forms | nex-forms_express_wp_form_builder | to 9.1.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an authenticated Stored Cross-Site Scripting (XSS) issue in the Nex-Forms Express WordPress plugin versions prior to 9.1.8. It occurs because the plugin does not properly sanitize and escape certain settings, especially within form fields. Subscribers with permission to create forms can inject malicious scripts into form fields, which are then stored and executed when viewed by administrators or other users with higher privileges. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with form creation permissions to inject malicious scripts that execute in the context of an administrator or other privileged users. This can lead to unauthorized actions such as stealing session cookies, defacing the site, or performing actions on behalf of the administrator, potentially compromising the integrity, confidentiality, and availability of the affected website. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by verifying the version of the Nex-Forms WordPress plugin installed on your system. If the version is prior to 9.1.8, it is vulnerable. Additionally, you can check for the presence of malicious payloads in form fields, especially in 'Extra Field Options' such as hidden fields with suspicious scripts like `<img src=x onerror=alert(1)>`. There are no specific network commands provided, but inspecting the plugin version and reviewing form configurations for injected scripts is recommended. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the Nex-Forms WordPress plugin to version 9.1.8 or later, where the issue has been fixed. Additionally, review and sanitize any existing forms, especially those with hidden fields or custom scripts, to remove any malicious payloads. Restrict form creation permissions to trusted users only. [1]