CVE-2025-14803 | THREATINT

Description

The NEX-Forms WordPress plugin before 9.1.8 does not sanitise and escape some of its settings. The NEX-Forms WordPress plugin before 9.1.8 can be configured in such a way that could allow subscribers to perform Stored Cross-Site Scripting.

PUBLISHED Reserved 2025-12-16 | Published 2026-01-09 | Updated 2026-01-09 | Assigner WPScan

Problem types

CWE-79 Cross-Site Scripting (XSS)

Product status

Default status

unaffected

Any version before 9.1.8

affected

Credits

Vuln Seeker Cyber Security Team finder

WPScan coordinator

References

wpscan.com/...rability/219af0e7-3d8b-4405-8005-b8969a370b0b/ exploit vdb-entry technical-description

cve.org (CVE-2025-14803)

nvd.nist.gov (CVE-2025-14803)

Download JSON