Which NEX-Forms – Ultimate Forms Plugin for WordPress CVEs are tracked?

NEX-Forms – Ultimate Forms Plugin for WordPress tracked CVEs include CVE-2015-9452, CVE-2021-24705, CVE-2026-1947, CVE-2025-69324, and CVE-2023-2114.

Where should operators start on this Plugin hub?

Start with the priority CVE quick links, then open the full report for affected versions, remediation notes, CVSS vectors, and source references.

Plugin Vulnerability Hub

Plugin 31 known issues Latest disclosed Mar 14, 2026

NEX-Forms – Ultimate Forms Plugin for WordPress Vulnerabilities

Q: How many NEX-Forms – Ultimate Forms Plugin for WordPress vulnerabilities have patch guidance?

31 of 31 tracked NEX-Forms – Ultimate Forms Plugin for WordPress records include a published patch path.

Review known vulnerability records for the WordPress plugin NEX-Forms – Ultimate Forms Plugin for WordPress (`nex-forms-express-wp-form-builder`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-1947, CVE-2026-1948 and CVE-2025-69326, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed

Known Records

High or Critical

Patch Coverage

100%

Last Updated

Mar 15, 2026

Priority CVE Quick Links

Fast paths into NEX-Forms – Ultimate Forms Plugin for WordPress CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs

CVE-2015-9452 Critical 4.6.1

CVE-2015-9452 NEX-Forms – Ultimate Forms Plugin for WordPress SQL Injection

NEX-Forms – Ultimate Form Builder < 4.6.1 - SQL Injection

CVE-2021-24705 High 8.4.3

CVE-2021-24705 NEX-Forms – Ultimate Forms Plugin for WordPress Cross-Site Scripting

NEX-Forms – Ultimate Form Builder <= 8.4.2 - Cross-Site Request Forgery to Cross-Site Scripting

CVE-2026-1947 High 9.1.10

CVE-2026-1947 NEX-Forms – Ultimate Forms Plugin for WordPress Authorization Bypass

NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.9 - Missing Authorization to Unauthenticated Arbitrary Form Entry Modification via nf_set_entry_update_id

CVE-2025-69324 High 9.1.8

CVE-2025-69324 NEX-Forms – Ultimate Forms Plugin for WordPress Stored Cross-Site Scripting

NEX-Forms <= 9.1.7 - Unauthenticated Stored Cross-Site Scripting

CVE-2023-2114 High 8.4

CVE-2023-2114 NEX-Forms – Ultimate Forms Plugin for WordPress SQL Injection

NEX-Forms <= 8.3.3 - Authenticated (Administrator+) SQL Injection

CVE-2022-3142 High 7.9.7

CVE-2022-3142 NEX-Forms – Ultimate Forms Plugin for WordPress SQL Injection

NEX-Forms <= 7.9.6 - Authenticated (Administrator+) SQL Injection

CVE-2025-3468 Medium 8.9.2

CVE-2025-3468 NEX-Forms – Ultimate Forms Plugin for WordPress Stored Cross-Site Scripting

NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.9.1 - Authenticated (Custom) Stored Cross-Site Scripting

CVE-2024-37512 Medium 8.6.1

CVE-2024-37512 NEX-Forms – Ultimate Forms Plugin for WordPress Stored Cross-Site Scripting

NEX-Forms – Ultimate Form Builder <= 8.5.10 - Authenticated (Contributor+) Stored Cross-Site Scripting

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for NEX-Forms – Ultimate Forms Plugin for WordPress so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility

31 records include a published patch path, leaving 0 with no listed safe release yet.

Severity Mix

2 critical and 5 high severity findings.

Recent CVEs

CVE-2026-1947, CVE-2026-1948 and CVE-2025-69326

Reference Workflow

Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.

Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

CVE-2026-1947 High Patch path listed

CVE-2026-1947: NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.9 - Missing Authorization to Unauthenticated Arbitrary Form Entry Modification via nf_set_entry_update_id

The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 9.1.9 via the submit_nex_form...

Published

Mar 14, 2026

Patch Status

9.1.10

Open CVE-2026-1947 Report

CVE-2026-1948 Medium Patch path listed

CVE-2026-1948: NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.9 - Missing Authorization to Authenticated (Subscriber+) License Deactivation via deactivate_license

The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the deactivate_license() func...

Published

Mar 13, 2026

Patch Status

9.1.10

Open CVE-2026-1948 Report

CVE-2025-69326 Medium Patch path listed

CVE-2025-69326: NEX-Forms <= 9.1.7 - Reflected Cross-Site Scripting

The NEX-Forms plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 9.1.7 due to insufficient input sanitization and output escaping. This ma...

Published

Feb 09, 2026

Patch Status

9.1.8

Open CVE-2025-69326 Report

Known Vulnerabilities

Reports for NEX-Forms – Ultimate Forms Plugin for WordPress

Sorted by latest disclosure date so newly published issues surface first.

Plugin High Patched: Yes CVE-2026-1947

CVE-2026-1947: NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.9 - Missing Authorization to Unauthenticated Arbitrary Form Entry Modification via nf_set_entry_update_id

The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 9.1.9 via the submit_nex_form() function due to missing validation on a user controlled key. This makes it possible for...

Published

Mar 14, 2026

Patched Release

9.1.10

Affected Versions

Versions up to 9.1.9

Next Step

Update to 9.1.10 or newer if supported.

Open CVE-2026-1947 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2026-1948

CVE-2026-1948: NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.9 - Missing Authorization to Authenticated (Subscriber+) License Deactivation via deactivate_license

The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the deactivate_license() function in all versions up to, and including, 9.1.9. This makes it possible for authenticated...

Published

Mar 13, 2026

Patched Release

9.1.10

Affected Versions

Versions up to 9.1.9

Next Step

Update to 9.1.10 or newer if supported.

Open CVE-2026-1948 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-69326

CVE-2025-69326: NEX-Forms <= 9.1.7 - Reflected Cross-Site Scripting

The NEX-Forms plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 9.1.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages tha...

Published

Feb 09, 2026

Patched Release

9.1.8

Affected Versions

Versions up to 9.1.7

Next Step

Update to 9.1.8 or newer if supported.

Open CVE-2025-69326 Report Open CVE Reference

Plugin High Patched: Yes CVE-2025-69324

CVE-2025-69324: NEX-Forms <= 9.1.7 - Unauthenticated Stored Cross-Site Scripting

The NEX-Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 9.1.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that w...

Published

Feb 04, 2026

Patched Release

9.1.8

Affected Versions

Versions up to 9.1.7

Next Step

Update to 9.1.8 or newer if supported.

Open CVE-2025-69324 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-15510

CVE-2025-15510: NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.8 - Missing Authorization to Unauthenticated Sensitive Information Exposure

The NEX-Forms – Ultimate Forms Plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the NF5_Export_Forms class constructor in all versions up to, and including, 9.1.8. This makes it possible for unauthenticated attackers to export...

Published

Jan 30, 2026

Patched Release

9.1.9

Affected Versions

Versions up to 9.1.8

Next Step

Update to 9.1.9 or newer if supported.

Open CVE-2025-15510 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-14803

CVE-2025-14803: Nex-Forms Express WP Form Builder <= 9.1.7 - Authenticated (Admin+) Stored Cross-Site Scripting

The Nex-Forms Express WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 9.1.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...

Published

Dec 19, 2025

Patched Release

9.1.8

Affected Versions

Versions up to 9.1.7

Next Step

Update to 9.1.8 or newer if supported.

Open CVE-2025-14803 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-10185

CVE-2025-10185: NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.6 - Authenticated (Admin+) SQL Injection

The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in the action nf_load_form_entries in all versions up to, and including, 9.1.6 due to insufficient escaping on the user supplied parameter and lack...

Published

Oct 10, 2025

Patched Release

9.1.7

Affected Versions

Versions up to 9.1.6

Next Step

Update to 9.1.7 or newer if supported.

Open CVE-2025-10185 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-49399

CVE-2025-49399: NEX-Forms <= 9.1.3 - Cross-Site Request Forgery

The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.1.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attacke...

Published

Aug 20, 2025

Patched Release

9.1.4

Affected Versions

Versions up to 9.1.3

Next Step

Update to 9.1.4 or newer if supported.

Open CVE-2025-49399 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-4208

CVE-2025-4208: NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.9.1 - Authenticated (Custom) Limited Code Execution via get_table_records Function

The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to Limited Code Execution in all versions up to, and including, 8.9.1 via the get_table_records function. This is due to the unsanitized use of user-supplied input in call_user_...

Published

May 07, 2025

Patched Release

8.9.2

Affected Versions

Versions up to 8.9.1

Next Step

Update to 8.9.2 or newer if supported.

Open CVE-2025-4208 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-3468

CVE-2025-3468: NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.9.1 - Authenticated (Custom) Stored Cross-Site Scripting

The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the clean_html and form_fields parameters in all versions up to, and including, 8.9.1 due to insufficient input sanitization and output escapi...

Published

May 07, 2025

Patched Release

8.9.2

Affected Versions

Versions up to 8.9.1

Next Step

Update to 8.9.2 or newer if supported.

Open CVE-2025-3468 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-13498

CVE-2024-13498: NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.8.1 - Unauthenticated Sensitive Information Exposure

The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 8.8.1 via file uploads due to insufficient directory listing prevention and lack of randomization of file...

Published

Mar 11, 2025

Patched Release

8.8.2

Affected Versions

Versions up to 8.8.1

Next Step

Update to 8.8.2 or newer if supported.

Open CVE-2024-13498 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-10862

CVE-2024-10862: NEX-Forms <= 8.7.15 - Authenticated (Admin+) SQL Injection

The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to SQL Injection via the 'search_params' parameter in all versions up to, and including, 8.7.15 due to insufficient escaping on the user supplied parameter and lack of sufficien...

Published

Dec 24, 2024

Patched Release

8.7.16

Affected Versions

Versions up to 8.7.15

Next Step

Update to 8.7.16 or newer if supported.

Open CVE-2024-10862 Report Open CVE Reference