A vulnerability was found in webaways NEX-Forms Plugin up to 9.2.2 on WordPress. It has been rated as problematic. This affects the function
wp_kses. This manipulation of the argument _name[] causes cross site scripting.
This vulnerability is tracked as CVE-2026-12142. The attack is possible to be carried out remotely. No exploit exists.
Upgrading the affected component is advised.