CVE-2026-5063
Published: 03 May 2026
Summary
CVE-2026-5063 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-5063 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, in the NEX-Forms – Ultimate Forms Plugin for WordPress. It affects versions up to and including 9.1.11, stemming from insufficient input sanitization and output escaping of POST parameter key names in the submit_nex_form() function. This flaw enables the injection of arbitrary web scripts into pages. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and changed scope.
Unauthenticated attackers can exploit this vulnerability remotely by submitting forms with malicious POST parameter key names containing scripts. Once injected, the scripts persist in stored form data and execute in users' browsers whenever they access the affected pages, potentially compromising visitor sessions, stealing sensitive data, or enabling further attacks like account takeovers.
Mitigation details are available in the WordPress plugin trac changeset 3513524 at https://plugins.trac.wordpress.org/changeset/3513524/nex-forms-express-wp-form-builder, which addresses the issue. Wordfence provides additional threat intelligence, including exploitation details, at https://www.wordfence.com/threat-intel/vulnerabilities/id/9bac82ee-55bf-4381-b441-115a675e4834?source=cve. Security practitioners should update to a patched version beyond 9.1.11 and sanitize form inputs as a defense-in-depth measure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26815
Vulnerability details
The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via POST parameter key names in the submit_nex_form() function in versions up to, and including, 9.1.11 due to insufficient input sanitization and output…
more
escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in public-facing WordPress plugin enables remote exploitation of the application (T1190) and execution of injected JavaScript in victim browsers (T1059.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces validation and sanitization of POST parameter key names to block injection of malicious scripts in the submit_nex_form() function.
Requires output filtering and escaping of stored form data to prevent execution of injected scripts when pages are accessed.
Mandates timely flaw remediation through patching the vulnerable NEX-Forms plugin versions up to 9.1.11 as detailed in the provided mitigation changeset.