NEX-Forms – Ultimate Forms Plugin for WordPress < 9.1.10 – Missing Authorization to Unauthenticated Arbitrary Form Entry Modification via nf_set_entry_update_id | CVE 2026-1947 | Plugin Vulnerabilities

Description

The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 9.1.9 via the submit_nex_form() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to to overwrite arbitrary form entries via the 'nf_set_entry_update_id' parameter.

Affects Plugins

nex-forms-express-wp-form-builder

Fixed in 9.1.10

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/b2a8c307-2430-4ea9-afe0-e5e758eabdd1

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Youssef Elouaer

Verified

No

WPVDB ID

4d9ba78e-5aec-41e7-95af-8913488f2d6a

Timeline

Publicly Published

2026-03-14 (about 3 months ago)

Added

2026-03-14 (about 3 months ago)

Last Updated

2026-03-15 (about 3 months ago)

Other

Published

Title

Published

2025-12-11

Title

Ultra Addons for Contact Form 7 < 3.5.34 - Missing Authorization to Authenticated (Subscriber+) to Generate Form Submission PDF

Published

2025-10-21

Title

Flexible Refund and Return Order for WooCommerce < 1.0.39 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Order Refund

Published

2026-06-22

Title

WP Job Portal < 2.5.5 - Subscriber+ Employer Email Disclosure via IDOR

Published

2024-01-05

Title

Profile Builder < 3.10.8 - Contributor+ User Metadata Disclosure

Published

2024-03-26

Title

Event Tickets and Registration < 5.8.3 - Improper Authorization to Information Disclosure