VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 31 known issues Latest disclosed Mar 14, 2026

NEX-Forms – Ultimate Forms Plugin for WordPress Vulnerabilities

Review known vulnerability records for the WordPress plugin NEX-Forms – Ultimate Forms Plugin for WordPress (`nex-forms-express-wp-form-builder`), including severity, CVE references, affected versions, and patch status.

View on WordPress.org Back to Feed
Known Records
31
High or Critical
7
Linked CVEs
30
Last Updated
Mar 14, 2026
Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for NEX-Forms – Ultimate Forms Plugin for WordPress so operators can quickly confirm whether a disclosed issue maps to the installed slug and version range.

Patch Visibility
31 records include a published patch path.
Severity Mix
2 critical and 5 high severity findings.
Reference Workflow
Jump from the hub into the full report when you need remediation notes, CVSS vector details, or source references.
Known Vulnerabilities

Reports for NEX-Forms – Ultimate Forms Plugin for WordPress

Sorted by latest disclosure date so newly published issues surface first.

Plugin High Patched: Yes CVE-2026-1947
NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.9 - Missing Authorization to Unauthenticated Arbitrary Form Entry Modification via nf_set_entry_update_id

The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 9.1.9 via the submit_nex_form() function due to missing validation on a user controlled key. This makes it possible for...

Published
Mar 14, 2026
Patched Release
9.1.10
Affected Versions
Versions up to 9.1.9
Next Step
Update to 9.1.10 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2026-1948
NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.9 - Missing Authorization to Authenticated (Subscriber+) License Deactivation via deactivate_license

The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the deactivate_license() function in all versions up to, and including, 9.1.9. This makes it possible for authenticated...

Published
Mar 13, 2026
Patched Release
9.1.10
Affected Versions
Versions up to 9.1.9
Next Step
Update to 9.1.10 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-69326
NEX-Forms <= 9.1.7 - Reflected Cross-Site Scripting

The NEX-Forms plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 9.1.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages tha...

Published
Feb 09, 2026
Patched Release
9.1.8
Affected Versions
Versions up to 9.1.7
Next Step
Update to 9.1.8 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2025-69324
NEX-Forms <= 9.1.7 - Unauthenticated Stored Cross-Site Scripting

The NEX-Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 9.1.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that w...

Published
Feb 04, 2026
Patched Release
9.1.8
Affected Versions
Versions up to 9.1.7
Next Step
Update to 9.1.8 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-15510
NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.8 - Missing Authorization to Unauthenticated Sensitive Information Exposure

The NEX-Forms – Ultimate Forms Plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the NF5_Export_Forms class constructor in all versions up to, and including, 9.1.8. This makes it possible for unauthenticated attackers to export...

Published
Jan 30, 2026
Patched Release
9.1.9
Affected Versions
Versions up to 9.1.8
Next Step
Update to 9.1.9 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-14803
Nex-Forms Express WP Form Builder <= 9.1.7 - Authenticated (Admin+) Stored Cross-Site Scripting

The Nex-Forms Express WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 9.1.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...

Published
Dec 19, 2025
Patched Release
9.1.8
Affected Versions
Versions up to 9.1.7
Next Step
Update to 9.1.8 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-10185
NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.6 - Authenticated (Admin+) SQL Injection

The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in the action nf_load_form_entries in all versions up to, and including, 9.1.6 due to insufficient escaping on the user supplied parameter and lack...

Published
Oct 10, 2025
Patched Release
9.1.7
Affected Versions
Versions up to 9.1.6
Next Step
Update to 9.1.7 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-49399
NEX-Forms <= 9.1.3 - Cross-Site Request Forgery

The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.1.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attacke...

Published
Aug 20, 2025
Patched Release
9.1.4
Affected Versions
Versions up to 9.1.3
Next Step
Update to 9.1.4 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-4208
NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.9.1 - Authenticated (Custom) Limited Code Execution via get_table_records Function

The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to Limited Code Execution in all versions up to, and including, 8.9.1 via the get_table_records function. This is due to the unsanitized use of user-supplied input in call_user_...

Published
May 07, 2025
Patched Release
8.9.2
Affected Versions
Versions up to 8.9.1
Next Step
Update to 8.9.2 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-3468
NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.9.1 - Authenticated (Custom) Stored Cross-Site Scripting

The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the clean_html and form_fields parameters in all versions up to, and including, 8.9.1 due to insufficient input sanitization and output escapi...

Published
May 07, 2025
Patched Release
8.9.2
Affected Versions
Versions up to 8.9.1
Next Step
Update to 8.9.2 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-13498
NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.8.1 - Unauthenticated Sensitive Information Exposure

The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 8.8.1 via file uploads due to insufficient directory listing prevention and lack of randomization of file...

Published
Mar 11, 2025
Patched Release
8.8.2
Affected Versions
Versions up to 8.8.1
Next Step
Update to 8.8.2 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-10862
NEX-Forms <= 8.7.15 - Authenticated (Admin+) SQL Injection

The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to SQL Injection via the 'search_params' parameter in all versions up to, and including, 8.7.15 due to insufficient escaping on the user supplied parameter and lack of sufficien...

Published
Dec 24, 2024
Patched Release
8.7.16
Affected Versions
Versions up to 8.7.15
Next Step
Update to 8.7.16 or newer if supported.
Open Full Report Open CVE Reference