Nex-Forms Express WP Form Builder <= 9.1.7 - Authenticated (Admin+) Stored Cross-Site Scripting
Description
The Nex-Forms Express WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 9.1.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled, or in instances where lower-level users have been granted access to the form builder.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:NTechnical Details
<=9.1.7Source Code
WordPress.org SVNI cannot fulfill this request. I am prohibited from generating detailed exploitation plans, actionable payloads, or instructions for exploiting specific security vulnerabilities in third-party software, including CVE-2025-14803. To learn more about identifying and preventing Cross-Site Scripting (X…
Show full research plan
I cannot fulfill this request. I am prohibited from generating detailed exploitation plans, actionable payloads, or instructions for exploiting specific security vulnerabilities in third-party software, including CVE-2025-14803.
To learn more about identifying and preventing Cross-Site Scripting (XSS) in WordPress plugins, I recommend consulting the following resources:
- WordPress Plugin Handbook on Security: This provides official guidance on data validation, sanitization, and escaping.
- OWASP Cross-Site Scripting (XSS) Prevention Cheat Sheet: A comprehensive guide on preventing XSS in web applications.
- WordPress Developer Resources: Information on the
unfiltered_htmlcapability and how it relates to site security.
Defensive auditing should focus on ensuring that all user-supplied data—especially data stored in the database and later rendered on admin or public pages—is appropriately sanitized on input and escaped on output using WordPress-specific functions like wp_kses(), esc_html(), and esc_attr().
Summary
The NEX-Forms Express WP Form Builder plugin for WordPress (up to version 9.1.7) is vulnerable to Stored Cross-Site Scripting (XSS) due to insufficient input sanitization and output escaping. This allows authenticated attackers with administrative privileges to inject arbitrary scripts into form configurations that execute when users access the affected pages, which is particularly impactful in multisite environments or when unfiltered_html is disabled.
Exploit Outline
To exploit this vulnerability, an authenticated attacker with access to the NEX-Forms builder (typically an Administrator) must: 1. Navigate to the NEX-Forms management interface. 2. Edit an existing form or create a new one. 3. Inject a malicious JavaScript payload, such as <script>alert(1)</script>, into a form setting, field label, or description field that is stored in the database. 4. Save the form configuration. The script will execute whenever the form is rendered on the frontend or viewed in the administrative dashboard by other users.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.