WordPress Plugin Vulnerabilities

NEX-Forms – Ultimate Forms Plugin for WordPress < 9.1.9 - Missing Authorization to Unauthenticated Sensitive Information Exposure

Description

The NEX-Forms – Ultimate Forms Plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the NF5_Export_Forms class constructor in all versions up to, and including, 9.1.8. This makes it possible for unauthenticated attackers to export form configurations, that may include sensitive data, such as email addresses, PayPal API credentials, and third-party integration keys by enumerating the nex_forms_Id parameter.

Affects Plugins

Plugin icon
nex-forms-express-wp-form-builder
Fixed in 9.1.9

References

CVE
CVE-2025-15510
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/ddfa5a3d-fef2-4049-915c-51c3e28153bf

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Deadbee
Verified
No
WPVDB ID
c7b69930-d722-491d-841c-f749faf55003

Timeline

Publicly Published
2026-01-30 (about 2 months ago)
Added
2026-01-30 (about 2 months ago)
Last Updated
2026-01-31 (about 2 months ago)

Other

Published
Title
Published
2024-12-11
Title
WPCargo Track & Trace <= 8.0.2 - Subscriber+ Settings Update
Published
2025-09-06
Title
UDesign Core <= 4.14.0 - Missing Authorization
Published
2024-04-29
Title
ReviewX < 1.6.22 - Missing Authorization
Published
2025-12-30
Title
JetTabs < 2.2.12.1 - Missing Authorization
Published
2026-01-24
Title
Wired Impact Volunteer Management < 2.8.1 - Missing Authorization