WordPress Plugin Vulnerabilities

NEX-Forms – Ultimate Forms Plugin for WordPress < 9.1.10 - Missing Authorization to Authenticated (Subscriber+) License Deactivation via deactivate_license

Description

The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the deactivate_license() function in all versions up to, and including, 9.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to to deactivate the plugin license.

Affects Plugins

Plugin icon
nex-forms-express-wp-form-builder
Fixed in 9.1.10

References

CVE
CVE-2026-1948
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/23b21dbd-caf7-49fc-bed4-4017151ee4ad

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Legion Hunter
Verified
No
WPVDB ID
329431b0-76db-4a3e-9442-bc1a20008def

Timeline

Publicly Published
2026-03-13 (about 23 days ago)
Added
2026-03-13 (about 23 days ago)
Last Updated
2026-03-14 (about 23 days ago)

Other

Published
Title
Published
2025-05-06
Title
Login Lockdown & Protection < 2.12 - Missing Authorization to Authenticated (Subscriber+) Arbitrary IP Whitelisting
Published
2025-11-14
Title
Lobo < 2.8.7 - Missing Authorization
Published
2024-07-18
Title
YITH Essential Kit for WooCommerce #1 < 2.35.0 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Install, Activation, and Deactivation
Published
2025-03-06
Title
School Management System for Wordpress <= 93.0.0 - Missing Authorization to Unauthenticated Arbitrary Post Deletion
Published
2025-06-12
Title
WP Travel Engine < 6.5.2 - Missing Authorization to Unauthenticated Arbitrary Post Deletion