hypeorhack
← back

CVE-2026-5063

HIGH · 7.2
hype MOSTLY HYPE · 22 hack

Fresh advisory recycled by feeds; no PoC, exploit, or KEV signal; automated chatter dominates.

What: Stored XSS in NEX-Forms WordPress plugin (≤9.1.11) via POST parameter key names; CVSS 7.2 HIGH, affects unauthenticated attackers injecting scripts.

Why it matters: CVE published today with HIGH severity, but not yet KEV-listed. No public PoC or vendor patch announced. Social chatter consists of automated feeds and threat intel aggregators amplifying the advisory itself, with one post advising disabling the plugin due to lack of remediation. No defender triage or in-the-wild exploitation reports.

Where it's seen: Vulnerability feed reshares (VulmonFeeds, threat radar), Japanese-language advisory posts, and generic security alert amplification across Bluesky and X. No vendor statement, no PoC repositories, no developer questions.

RISK: HIGH — Stored XSS in widely-deployed WordPress plugin affecting unauthenticated users; no patch available yet.

Generated by claude-haiku-4-5 from public posts and authoritative metadata. AI can make mistakes — verify against vendor advisories before acting. 5/3/2026, 8:05:43 AM

AttackerKB

view on attackerkb.com →

The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via POST parameter key names in the submit_nex_form() function in versions up to, and including, 9.1.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Public PoCs on GitHub 3 repos

Articles & coverage 13 articles

  • EUVD-2026-5063 - European Union

    Summary. In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory

  • CVE-2024-5063: PHPGurukul Course Registration SQLI Flaw

    CVE-2024-5063 is a critical SQL injection vulnerability in PHPGurukul Online Course Registration System 3.1 affecting the admin login page.

  • CVE-2026-25063 - Exploits & Severity - Feedly

    # CVE-2026-25063. A command injection vulnerability exists in gradle-completion up to and including version 9.3.0. The Bash completion script fails to adequately sanitize Gradle task names and task descriptions, allowing arbitrary code execution when a user triggers Bash tab completion in a project containing a malicious Gradle build file. The first patched version is gradle-completion 9.3.1. User

  • AlmaLinux 10 : libarchive (ALSA-2026:5063) | Tenable®

    The remote AlmaLinux 10 host has packages installed that are affected by a vulnerability as referenced in the ALSA-2026:5063 advisory. *

  • New Linux 'Copy Fail' flaw gives hackers root on major distros

    * New Linux ‘Copy Fail’ flaw gives hackers root on major distros. Although the cybersecurity company developed and tested a "100% reliable" Python-based exploit for four Linux distributions (Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16), the researchers say that the 732-byte "script roots every Linux distribution shipped since 2017.". In a detailed write-up, the researchers say that

Page 1 of 3
NVD details 1 CWE ·0 vendors · 2 refs expand

Description

The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via POST parameter key names in the submit_nex_form() function in versions up to, and including, 9.1.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Weaknesses

References

Other · 2

Top posts driving the trend