CVE-2026-5063: NEX-Forms WordPress Plugin Stored XSS

/HIGH /CVSS 7.2/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycross-site-scripting-xsscwe-79
CVE-2026-5063: NEX-Forms WordPress Plugin Stored XSS

The National Vulnerability Database (NVD) has detailed CVE-2026-5063, a high-severity (CVSS 7.2) Stored Cross-Site Scripting (XSS) vulnerability impacting the NEX-Forms – Ultimate Forms Plugin for WordPress. This flaw, present in versions up to and including 9.1.11, stems from insufficient input sanitization and output escaping within the submit_nex_form() function, specifically via POST parameter key names. It’s a classic XSS vector, but the implications are significant.

Attackers don’t need authentication to exploit this. They can inject arbitrary web scripts that will execute whenever a user accesses an affected page. This isn’t just about defacement; it’s about session hijacking, credential theft, and further compromise of the WordPress admin panel or even other user sessions. The ‘unauthenticated’ aspect makes this particularly dangerous, as it broadens the attack surface to anyone who can reach the vulnerable form.

For defenders, this means any WordPress site running the NEX-Forms plugin is a potential target. The ease of exploitation, coupled with the potential for unauthenticated attackers to gain control over user sessions, demands immediate attention. Patching isn’t optional here; it’s a critical security hygiene step to prevent trivial client-side attacks.

What This Means For You

  • If your organization uses the NEX-Forms – Ultimate Forms Plugin for WordPress, you must identify and patch all installations to version 9.1.11 or newer immediately. Audit your WordPress sites for any unusual script injections or suspicious user activity in logs, especially around form submissions.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1566.002 Phishing: Spearphishing Link Initial Access T1059.001 Command and Scripting Interpreter: PowerShell Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-5063: NEX-Forms Stored XSS via submit_nex_form POST parameter

Sigma YAML — free preview 
title: CVE-2026-5063: NEX-Forms Stored XSS via submit_nex_form POST parameter
id: scw-2026-05-03-ai-1
status: experimental
level: high
description: |
  Detects attempts to exploit CVE-2026-5063 by identifying POST requests to the WordPress AJAX handler with the 'submit_nex_form' action and a 'key_name' parameter containing a script tag, indicative of a stored XSS injection attempt.
author: SCW Feed Engine (AI-generated)
date: 2026-05-03
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-5063/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-method:
          - 'POST'
      uri|contains:
          - '/wp-admin/admin-ajax.php'
      cs-uri-query|contains:
          - 'action=submit_nex_form'
      cs-uri-query|contains:
          - 'key_name='
      cs-uri-query|contains:
          - '<script>'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-5063 XSS NEX-Forms – Ultimate Forms Plugin for WordPress plugin <= 9.1.11
CVE-2026-5063 XSS Vulnerable function: submit_nex_form()
CVE-2026-5063 XSS Vulnerable parameter: POST parameter key names

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 03, 2026 at 09:15 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

Edimax BR-6208AC Buffer Overflow: Remote Exploit Public (CVE-2026-7685)

CVE-2026-7685 — A vulnerability was detected in Edimax BR-6208AC up to 1.02. Affected is an unknown function of the file /goform/setWAN. Performing a manipulation of...

vulnerabilityCVEhigh-severitybuffer-overflowcwe-119cwe-120
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 3 IOCs /⚙ 1 Sigma

Edimax BR-6428nC Buffer Overflow (CVE-2026-7684) Exposed, High Severity

CVE-2026-7684 — A security vulnerability has been detected in Edimax BR-6428nC up to 1.16. This impacts an unknown function of the file /goform/setWAN. Such manipulation...

vulnerabilityCVEhigh-severitybuffer-overflowcwe-119cwe-120
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 3 IOCs /⚙ 1 Sigma

CVE-2026-7683 — An Unknown Function Of The File /Goform/SetWAN Of The Compon Command Injection

CVE-2026-7683 — A weakness has been identified in Edimax BR-6428nC up to 1.16. This affects an unknown function of the file /goform/setWAN of the component...

vulnerabilityCVEmedium-severitycommand-injectioncwe-74cwe-77
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 3 IOCs /⚙ 3 Sigma