The NEX-Forms WordPress plugin before 8.4.4 does not escape its form name, which could lead to Stored Cross-Site Scripting issues. By default only SuperAdmins (in multisite) / admins (in single site) can create forms, however there is a settings allowing them to give lower roles access to such feature.
2023-07-17T14:15:09.553
2024-11-21T07:37:11.000
Modified
CVSSv3.1: 5.4 (MEDIUM)
-
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Application | basixonline | nex-forms | < 8.4.4 | Yes |