Post cover image

July 3, 2026

Unauthenticated Stored XSS in NEX-Forms Express WP Form Builder (≤ 9.1.10)

TL;DR: Any anonymous visitor can POST a JavaScript payload to NEX-Forms’ form submission endpoint. The plugin stores it unsanitized in the…

By Sandiyo Christan

5 min read