{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-3468", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-04-09T11:54:37.522Z", "datePublished": "2025-05-08T11:13:44.979Z", "dateUpdated": "2026-04-08T17:12:49.895Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:12:49.895Z"}, "affected": [{"vendor": "webaways", "product": "NEX-Forms \u2013 Ultimate Forms Plugin for WordPress", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "8.9.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The NEX-Forms \u2013 Ultimate Form Builder \u2013 Contact forms and much more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the clean_html and form_fields parameters in all versions up to, and including, 8.9.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Custom-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "NEX-Forms \u2013 Ultimate Form Builder \u2013 Contact forms and much more <= 8.9.1 - Authenticated (Custom) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a33a7ba5-c6f8-4cf4-8011-8312e9c5da8f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.db.php?rev=3226607#L303"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Antonio Francesco Sardella"}], "timeline": [{"time": "2025-01-26T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-05-07T21:30:27.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-08T13:33:03.548525Z", "id": "CVE-2025-3468", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-08T13:34:14.166Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3468", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-08T13:33:03.548525Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-08T13:33:27.396Z"}}], "cna": {"title": "NEX-Forms \u2013 Ultimate Form Builder \u2013 Contact forms and much more <= 8.9.1 - Authenticated (Custom) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Antonio Francesco Sardella"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "webaways", "product": "NEX-Forms \u2013 Ultimate Forms Plugin for WordPress", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "8.9.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-01-26T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-05-07T21:30:27.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a33a7ba5-c6f8-4cf4-8011-8312e9c5da8f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.db.php?rev=3226607#L303"}], "descriptions": [{"lang": "en", "value": "The NEX-Forms \u2013 Ultimate Form Builder \u2013 Contact forms and much more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the clean_html and form_fields parameters in all versions up to, and including, 8.9.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Custom-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:12:49.895Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3468", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:12:49.895Z", "dateReserved": "2025-04-09T11:54:37.522Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-05-08T11:13:44.979Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:basixonline:nex-forms:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "97BE2BAD-8A11-4367-A784-5947EE85FB05", "versionEndExcluding": "8.9.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The NEX-Forms \u2013 Ultimate Form Builder \u2013 Contact forms and much more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the clean_html and form_fields parameters in all versions up to, and including, 8.9.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Custom-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento NEX-Forms \u2013 Ultimate Form Builder \u2013 Contact forms and much more para WordPress es vulnerable a cross site scripting almacenado a trav\u00e9s de los par\u00e1metros clean_html y form_fields en todas las versiones hasta la 8.9.1 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de nivel personalizado, inyectar secuencias de comandos web arbitrarias en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-3468", "lastModified": "2025-06-04T22:54:54.960", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-05-08T12:15:17.643", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.db.php?rev=3226607#L303"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a33a7ba5-c6f8-4cf4-8011-8312e9c5da8f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T20:54:34.262072+00:00", "value": {"mitigation_remediation": ["Upgrade the NEX\u2011Forms plugin to version 8.9.2 or later, which removes the vulnerable handling of clean_html and form_fields and addresses the input validation and output escaping weakness identified as CWE\u201179.", "If an upgrade is not immediately possible, revoke Custom\u2011level privileges from users or restrict form management to trusted accounts to reduce the attack surface.", "As a temporary safeguard, implement a content security policy that blocks inline scripts on form pages and limits script execution, thereby mitigating the impact of any stored XSS."], "summary": {"action": "Apply patch", "impact": "Stored Cross\u2011Site Scripting where authenticated Custom users can inject executable scripts into form pages"}, "threat_synthesis": {"affected_systems": "This weakness affects all installations of the NEX\u2011Forms \u2013 Ultimate Forms Plugin for WordPress with version 8.9.1 or earlier. The plugin is distributed under the webaways brand and identified in the vendor list as webaways:NEX\u2011Forms. No later versions are known to be affected.", "description_and_impact": "The vulnerability resides in the NEX\u2011Forms plugin for WordPress, due to inadequate sanitization of the clean_html and form_fields parameters. It permits an authenticated user with Custom privileges to inject malicious scripts that are stored and subsequently executed whenever the affected form page is viewed. This can lead to compromised client session data, cookie theft, defacement, or other client\u2011side attacks against any visitor who loads the injected page.", "risk_and_exploitability": "With a CVSS score of 6.4 the severity is moderate. The EPSS value is below 1\u202f%, indicating a low current exploitation probability. The vulnerability is not listed in CISA\u2019s KEV catalog. An attacker would need authenticated Custom\u2011level access to create or edit a form; from that position they can submit malicious payloads that fulfill the stored XSS condition. Once a victim prompts a page containing the injected code, the script runs in that victim\u2019s browser."}}}}, "created": "2026-04-21T21:00:36.008195+00:00", "updated": "2026-04-21T21:00:36.008205+00:00", "vendors": []}