{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-69326", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-31T20:12:18.800Z", "datePublished": "2026-02-20T15:46:49.532Z", "dateUpdated": "2026-04-28T20:52:47.770Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "nex-forms-express-wp-form-builder", "product": "NEX-Forms", "vendor": "Basix", "versions": [{"changes": [{"at": "9.1.8", "status": "unaffected"}], "lessThanOrEqual": "9.1.7", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Skalucy | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:03:42.625Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Basix NEX-Forms nex-forms-express-wp-form-builder allows Reflected XSS.<p>This issue affects NEX-Forms: from n/a through <= 9.1.7.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Basix NEX-Forms nex-forms-express-wp-form-builder allows Reflected XSS.This issue affects NEX-Forms: from n/a through <= 9.1.7."}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:37.621Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/nex-forms-express-wp-form-builder/vulnerability/wordpress-nex-forms-plugin-9-1-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress NEX-Forms plugin <= 9.1.7 - Reflected Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-23T21:37:09.031080Z", "id": "CVE-2025-69326", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T20:52:47.770Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-69326", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-23T21:37:09.031080Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-23T21:37:10.369Z"}}], "cna": {"title": "WordPress NEX-Forms plugin <= 9.1.7 - Reflected Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Skalucy | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Basix", "product": "NEX-Forms", "versions": [{"status": "affected", "changes": [{"at": "9.1.8", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "9.1.7"}], "packageName": "nex-forms-express-wp-form-builder", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:03:42.625Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/nex-forms-express-wp-form-builder/vulnerability/wordpress-nex-forms-plugin-9-1-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Basix NEX-Forms nex-forms-express-wp-form-builder allows Reflected XSS.This issue affects NEX-Forms: from n/a through <= 9.1.7.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Basix NEX-Forms nex-forms-express-wp-form-builder allows Reflected XSS.<p>This issue affects NEX-Forms: from n/a through <= 9.1.7.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:37.621Z"}}}, "cveMetadata": {"cveId": "CVE-2025-69326", "state": "PUBLISHED", "dateUpdated": "2026-04-28T20:52:47.770Z", "dateReserved": "2025-12-31T20:12:18.800Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-20T15:46:49.532Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Basix NEX-Forms nex-forms-express-wp-form-builder allows Reflected XSS.This issue affects NEX-Forms: from n/a through <= 9.1.7."}, {"lang": "es", "value": "Vulnerabilidad de Neutralizaci\u00f3n Incorrecta de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web ('cross-site scripting') en Basix NEX-Forms nex-forms-express-wp-form-builder permite XSS Reflejado. Este problema afecta a NEX-Forms: desde n/a hasta &lt;= 9.1.7."}], "id": "CVE-2025-69326", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-20T16:22:19.917", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/nex-forms-express-wp-form-builder/vulnerability/wordpress-nex-forms-plugin-9-1-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,9.1.7]"}}], "enrichment": {"confidence": 83.0, "confidence_source": "matching", "scores": [{"score": 83.0, "source": "matching"}]}, "original": {"product": "NEX-Forms", "source": "cna", "vendor": "Basix"}, "product": "nex-forms", "vendor": "basixonline"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-27T20:31:45.118635+00:00", "value": {"mitigation_remediation": ["Update the NEX\u2011Forms plugin to version 9.1.8 or later.", "If an immediate update is not feasible, configure the plugin or WordPress to remove or escape any script tags from user\u2011submitted data.", "Use a web application firewall or content security policy to block or mitigate the execution of injected scripts."], "summary": {"action": "Apply Patch", "impact": "Reflected Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The NEX\u2011Forms Express WP Form Builder plugin from Basix is affected, for all releases up to and including 9.1.7. Users running the plugin on WordPress sites with these or earlier versions are at risk.", "description_and_impact": "Improper neutralization of input in the NEX\u2011Forms WordPress plugin leads to Reflected Cross\u2011Site Scripting, allowing an attacker to inject and execute arbitrary JavaScript in the context of a victim\u2019s browser. The vulnerability is classified as CWE\u201179 and carries a CVSS score of 7.1, indicating moderate to high potential impact on confidentiality, integrity, and availability of the affected web application.", "risk_and_exploitability": "The CVSS score of 7.1 reflects a significant risk, but the EPSS score of <1% indicates a relatively low probability of exploitation in the wild. The vulnerability does not require authentication and can be triggered by sending a crafted URL or form submission that contains malicious script payloads. Because it is not listed in CISA\u2019s KEV catalog, it has not yet been widely reported as a known exploited vulnerability."}}}}, "created": "2026-02-23T14:37:30.751672+00:00", "updated": "2026-04-27T20:45:12.702263+00:00", "vendors": ["basixonline", "basixonline$PRODUCT$nex-forms", "wordpress", "wordpress$PRODUCT$wordpress"]}