Search criteria
6 vulnerabilities found for NEX-Forms – Ultimate Forms Plugin for WordPress by webaways
CVE-2025-10185 (GCVE-0-2025-10185)
Vulnerability from cvelistv5 – Published: 2025-10-11 07:25 – Updated: 2025-10-14 14:11
VLAI?
Title
NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.6 - Authenticated (Admin+) SQL Injection
Summary
The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in the action nf_load_form_entries in all versions up to, and including, 9.1.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This may be exploitable by lower-level users if access is granted by a site administrator.
Severity ?
4.9 (Medium)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| webaways | NEX-Forms – Ultimate Forms Plugin for WordPress |
Affected:
* , ≤ 9.1.6
(semver)
|
Credits
Đức Tài
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10185",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-14T13:31:04.403205Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T14:11:54.230Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "NEX-Forms \u2013 Ultimate Forms Plugin for WordPress",
"vendor": "webaways",
"versions": [
{
"lessThanOrEqual": "9.1.6",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "\u0110\u1ee9c T\u00e0i"
}
],
"descriptions": [
{
"lang": "en",
"value": "The NEX-Forms \u2013 Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to SQL Injection via the \u0027orderby\u0027 parameter in the action nf_load_form_entries in all versions up to, and including, 9.1.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This may be exploitable by lower-level users if access is granted by a site administrator."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-11T07:25:58.079Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e68d47e7-9a42-4a77-aefa-fe130500cbd3?source=cve"
},
{
"url": "https://plugins.svn.wordpress.org/nex-forms-express-wp-form-builder/tags/9.1.4/includes/classes/class.db.php#2527"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3365585/nex-forms-express-wp-form-builder/trunk/includes/classes/class.db.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-10T05:24:01.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-10-10T19:07:08.000+00:00",
"value": "Disclosed"
}
],
"title": "NEX-Forms \u2013 Ultimate Forms Plugin for WordPress \u003c= 9.1.6 - Authenticated (Admin+) SQL Injection"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-10185",
"datePublished": "2025-10-11T07:25:58.079Z",
"dateReserved": "2025-09-09T15:11:39.813Z",
"dateUpdated": "2025-10-14T14:11:54.230Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3468 (GCVE-0-2025-3468)
Vulnerability from cvelistv5 – Published: 2025-05-08 11:13 – Updated: 2025-05-08 13:34
VLAI?
Title
NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.9.1 - Authenticated (Custom) Stored Cross-Site Scripting
Summary
The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the clean_html and form_fields parameters in all versions up to, and including, 8.9.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Custom-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| webaways | NEX-Forms – Ultimate Forms Plugin for WordPress |
Affected:
* , ≤ 8.9.1
(semver)
|
Credits
Antonio Francesco Sardella
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3468",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T13:33:03.548525Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-08T13:34:14.166Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "NEX-Forms \u2013 Ultimate Forms Plugin for WordPress",
"vendor": "webaways",
"versions": [
{
"lessThanOrEqual": "8.9.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Antonio Francesco Sardella"
}
],
"descriptions": [
{
"lang": "en",
"value": "The NEX-Forms \u2013 Ultimate Form Builder \u2013 Contact forms and much more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the clean_html and form_fields parameters in all versions up to, and including, 8.9.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Custom-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-08T11:13:44.979Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a33a7ba5-c6f8-4cf4-8011-8312e9c5da8f?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.db.php?rev=3226607#L303"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-26T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-05-07T21:30:27.000+00:00",
"value": "Disclosed"
}
],
"title": "NEX-Forms \u2013 Ultimate Form Builder \u2013 Contact forms and much more \u003c= 8.9.1 - Authenticated (Custom) Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-3468",
"datePublished": "2025-05-08T11:13:44.979Z",
"dateReserved": "2025-04-09T11:54:37.522Z",
"dateUpdated": "2025-05-08T13:34:14.166Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4208 (GCVE-0-2025-4208)
Vulnerability from cvelistv5 – Published: 2025-05-08 11:13 – Updated: 2025-05-08 13:38
VLAI?
Title
NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.9.1 - Authenticated (Custom) Limited Code Execution via get_table_records Function
Summary
The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to Limited Code Execution in all versions up to, and including, 8.9.1 via the get_table_records function. This is due to the unsanitized use of user-supplied input in call_user_func(). This makes it possible for authenticated attackers, with Custom-level access, to execute arbitrary PHP functions that meet specific constraints (static methods or global functions accepting a single array parameter).
Severity ?
6.3 (Medium)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| webaways | NEX-Forms – Ultimate Forms Plugin for WordPress |
Affected:
* , ≤ 8.9.1
(semver)
|
Credits
Antonio Francesco Sardella
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4208",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T13:38:03.681589Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-08T13:38:29.978Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "NEX-Forms \u2013 Ultimate Forms Plugin for WordPress",
"vendor": "webaways",
"versions": [
{
"lessThanOrEqual": "8.9.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Antonio Francesco Sardella"
}
],
"descriptions": [
{
"lang": "en",
"value": "The NEX-Forms \u2013 Ultimate Form Builder \u2013 Contact forms and much more plugin for WordPress is vulnerable to Limited Code Execution in all versions up to, and including, 8.9.1 via the get_table_records function. This is due to the unsanitized use of user-supplied input in call_user_func(). This makes it possible for authenticated attackers, with Custom-level access, to execute arbitrary PHP functions that meet specific constraints (static methods or global functions accepting a single array parameter)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-08T11:13:44.068Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1d2b7215-d3a7-4e5a-ae9b-65fecc26dceb?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php?rev=3226607#L3420"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-26T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-05-07T21:30:44.000+00:00",
"value": "Disclosed"
}
],
"title": "NEX-Forms \u2013 Ultimate Form Builder \u2013 Contact forms and much more \u003c= 8.9.1 - Authenticated (Custom) Limited Code Execution via get_table_records Function"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-4208",
"datePublished": "2025-05-08T11:13:44.068Z",
"dateReserved": "2025-05-02T00:28:53.112Z",
"dateUpdated": "2025-05-08T13:38:29.978Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-10185 (GCVE-0-2025-10185)
Vulnerability from nvd – Published: 2025-10-11 07:25 – Updated: 2025-10-14 14:11
VLAI?
Title
NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.6 - Authenticated (Admin+) SQL Injection
Summary
The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in the action nf_load_form_entries in all versions up to, and including, 9.1.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This may be exploitable by lower-level users if access is granted by a site administrator.
Severity ?
4.9 (Medium)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| webaways | NEX-Forms – Ultimate Forms Plugin for WordPress |
Affected:
* , ≤ 9.1.6
(semver)
|
Credits
Đức Tài
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10185",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-14T13:31:04.403205Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T14:11:54.230Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "NEX-Forms \u2013 Ultimate Forms Plugin for WordPress",
"vendor": "webaways",
"versions": [
{
"lessThanOrEqual": "9.1.6",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "\u0110\u1ee9c T\u00e0i"
}
],
"descriptions": [
{
"lang": "en",
"value": "The NEX-Forms \u2013 Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to SQL Injection via the \u0027orderby\u0027 parameter in the action nf_load_form_entries in all versions up to, and including, 9.1.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This may be exploitable by lower-level users if access is granted by a site administrator."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-11T07:25:58.079Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e68d47e7-9a42-4a77-aefa-fe130500cbd3?source=cve"
},
{
"url": "https://plugins.svn.wordpress.org/nex-forms-express-wp-form-builder/tags/9.1.4/includes/classes/class.db.php#2527"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3365585/nex-forms-express-wp-form-builder/trunk/includes/classes/class.db.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-10T05:24:01.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-10-10T19:07:08.000+00:00",
"value": "Disclosed"
}
],
"title": "NEX-Forms \u2013 Ultimate Forms Plugin for WordPress \u003c= 9.1.6 - Authenticated (Admin+) SQL Injection"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-10185",
"datePublished": "2025-10-11T07:25:58.079Z",
"dateReserved": "2025-09-09T15:11:39.813Z",
"dateUpdated": "2025-10-14T14:11:54.230Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3468 (GCVE-0-2025-3468)
Vulnerability from nvd – Published: 2025-05-08 11:13 – Updated: 2025-05-08 13:34
VLAI?
Title
NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.9.1 - Authenticated (Custom) Stored Cross-Site Scripting
Summary
The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the clean_html and form_fields parameters in all versions up to, and including, 8.9.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Custom-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| webaways | NEX-Forms – Ultimate Forms Plugin for WordPress |
Affected:
* , ≤ 8.9.1
(semver)
|
Credits
Antonio Francesco Sardella
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3468",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T13:33:03.548525Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-08T13:34:14.166Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "NEX-Forms \u2013 Ultimate Forms Plugin for WordPress",
"vendor": "webaways",
"versions": [
{
"lessThanOrEqual": "8.9.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Antonio Francesco Sardella"
}
],
"descriptions": [
{
"lang": "en",
"value": "The NEX-Forms \u2013 Ultimate Form Builder \u2013 Contact forms and much more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the clean_html and form_fields parameters in all versions up to, and including, 8.9.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Custom-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-08T11:13:44.979Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a33a7ba5-c6f8-4cf4-8011-8312e9c5da8f?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.db.php?rev=3226607#L303"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-26T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-05-07T21:30:27.000+00:00",
"value": "Disclosed"
}
],
"title": "NEX-Forms \u2013 Ultimate Form Builder \u2013 Contact forms and much more \u003c= 8.9.1 - Authenticated (Custom) Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-3468",
"datePublished": "2025-05-08T11:13:44.979Z",
"dateReserved": "2025-04-09T11:54:37.522Z",
"dateUpdated": "2025-05-08T13:34:14.166Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4208 (GCVE-0-2025-4208)
Vulnerability from nvd – Published: 2025-05-08 11:13 – Updated: 2025-05-08 13:38
VLAI?
Title
NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.9.1 - Authenticated (Custom) Limited Code Execution via get_table_records Function
Summary
The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to Limited Code Execution in all versions up to, and including, 8.9.1 via the get_table_records function. This is due to the unsanitized use of user-supplied input in call_user_func(). This makes it possible for authenticated attackers, with Custom-level access, to execute arbitrary PHP functions that meet specific constraints (static methods or global functions accepting a single array parameter).
Severity ?
6.3 (Medium)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| webaways | NEX-Forms – Ultimate Forms Plugin for WordPress |
Affected:
* , ≤ 8.9.1
(semver)
|
Credits
Antonio Francesco Sardella
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4208",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T13:38:03.681589Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-08T13:38:29.978Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "NEX-Forms \u2013 Ultimate Forms Plugin for WordPress",
"vendor": "webaways",
"versions": [
{
"lessThanOrEqual": "8.9.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Antonio Francesco Sardella"
}
],
"descriptions": [
{
"lang": "en",
"value": "The NEX-Forms \u2013 Ultimate Form Builder \u2013 Contact forms and much more plugin for WordPress is vulnerable to Limited Code Execution in all versions up to, and including, 8.9.1 via the get_table_records function. This is due to the unsanitized use of user-supplied input in call_user_func(). This makes it possible for authenticated attackers, with Custom-level access, to execute arbitrary PHP functions that meet specific constraints (static methods or global functions accepting a single array parameter)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-08T11:13:44.068Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1d2b7215-d3a7-4e5a-ae9b-65fecc26dceb?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php?rev=3226607#L3420"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-26T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-05-07T21:30:44.000+00:00",
"value": "Disclosed"
}
],
"title": "NEX-Forms \u2013 Ultimate Form Builder \u2013 Contact forms and much more \u003c= 8.9.1 - Authenticated (Custom) Limited Code Execution via get_table_records Function"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-4208",
"datePublished": "2025-05-08T11:13:44.068Z",
"dateReserved": "2025-05-02T00:28:53.112Z",
"dateUpdated": "2025-05-08T13:38:29.978Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}