CVE-2025-14803
Nex-Forms Express WP Form Builder < 9.1.8 - Authenticated Stored XSSThe NEX-Forms WordPress plugin before 9.1.8 does not sanitise and escape some of its settings. The NEX-Forms WordPress plugin before 9.1.8 can be configured in such a way that could allow subscribers to perform Stored Cross-Site Scripting.
We have discovered 680 live websites that are affected by CVE-2025-14803.
Affected Software
| Product |  Nex Forms Express Wp Form Builder |
| Category | Wordpress Plugins |
| Vulnerable Domains | 680 live websites (93% of Nex Forms Express Wp Form Builder install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 35 versions ( 95% of all versions) |
Common Weakness Enumeration
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Details
- Published - Jan 9, 2026
- Updated - Jan 9, 2026
Credits
- Vuln Seeker Cyber Security Team (finder)
- WPScan (coordinator)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-14803 United States | 187 websites |
 Germany | 144 websites |
 Netherlands | 28 websites |
 France | 27 websites |
 Austria | 26 websites |
 GB | 26 websites |
 Canada | 24 websites |
 Australia | 22 websites |
 Italy | 21 websites |
 Turkey | 15 websites |
Website Distribution by TLD
Number of websites using CVE-2025-14803| .com | 264 websites |
| .de | 97 websites |
| .nl | 29 websites |
| .at | 24 websites |
| .org | 24 websites |
| .com.au | 22 websites |
| .it | 16 websites |
| .co.uk | 13 websites |
| .fr | 13 websites |
| .ca | 10 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-14803
Top websites that are affected by CVE-2025-14803. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ******.de | Germany | ***,*** | |
| ******.at | Austria | ***,*** | |
| *********.be |  Belgium | *,***,*** | |
| *************.com | France | *,***,*** | |
| *******.***.za |  South Africa | *,***,*** | |
| ****************.nl | Netherlands | *,***,*** | |
| ********.com | Germany | *,***,*** | |
| *****.***.za | South Africa | *,***,*** | |
| **************.com | United States | *,***,*** | |
| **************.de | Germany | *,***,*** |
FAQ
CVE-2025-14803 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Nex Forms Express Wp Form Builder
A total of 680 websites have been identified as vulnerable to CVE-2025-14803, based on global website indexing conducted by WebTechSurvey.
The Nex Forms Express Wp Form Builder is affected by the CVE-2025-14803 vulnerability.
Nex Forms Express Wp Form Builder versions up to 9.1.8 are vulnerable to CVE-2025-14803.
CVE-2025-14803 is resolved in version 9.1.8 of Nex Forms Express Wp Form Builder.