CVE Catalog

CVE-2026-13040

HighCVSS 7.2
Published: Translated: NVD NIST

Summary

The NEX-Forms plugin for WordPress up to version 9.2.2 is vulnerable to Stored Cross-Site Scripting via the 'real_val__' parameter due to insufficient input sanitization and output escaping. Unauthenticated attackers can inject arbitrary web scripts that execute when users access affected pages.

Risk Assessment

Attackers can inject malicious JavaScript, leading to session hijacking, phishing redirects, or website defacement. The vulnerability is accessible without authentication and without CSRF token, increasing the risk of widespread attacks.

Recommendation

Immediately update the NEX-Forms plugin to the latest available version. If an update is not possible, temporarily disable the plugin until a patch is released.

Original NVD description (English source)

The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'real_val__' parameter in all versions up to, and including, 9.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The submission endpoint is registered via wp_ajax_nopriv_submit_nex_form with no nonce verification, making it fully accessible to unauthenticated attackers without any CSRF token.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS