Description
The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to Limited Code Execution in all versions up to, and including, 8.9.1 via the get_table_records function. This is due to the unsanitized use of user-supplied input in call_user_func(). This makes it possible for authenticated attackers, with Custom-level access, to execute arbitrary PHP functions that meet specific constraints (static methods or global functions accepting a single array parameter).
Published: 2025-05-08
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Limited Code Execution (authenticated via Custom-level access)
Action: Apply Patch
AI Analysis

Impact

The NEX‑Forms – Ultimate Form Builder WordPress plugin is vulnerable to limited code execution due to unsanitized user input in its get_table_records function. The flaw allows authenticated users with Custom-level privileges to supply a function name to call_user_func, which will execute any static method or global function that accepts a single array parameter. This capability can lead to arbitrary PHP execution within the WordPress environment, potentially enabling attackers to compromise the site, exfiltrate data, or install persistent malware.

Affected Systems

The vulnerability affects the NEX‑Forms – Ultimate Forms plugin for WordPress, all versions up to and including 8.9.1. Users should verify their plugin version and apply any available updates beyond 8.9.1.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate severity, and the EPSS score of less than 1% suggests a low likelihood of widespread exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires authentication and Custom-level access; attackers can trigger the flaw by invoking the get_table_records endpoint through the plugin’s interface, supplying a crafted function name. While the code execution is constrained, it provides sufficient control to potentially compromise the host server.

Generated by OpenCVE AI on April 22, 2026 at 17:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the NEX‑Forms plugin to a version newer than 8.9.1 that patches the get_table_records function.
  • If an upgrade is not immediately possible, immediately remove or downgrade any Custom-level or equivalent privileges that allow usage of the get_table_records endpoint.
  • As a temporary workaround, modify the plugin code to sanitize the function parameter or replace call_user_func with a hard‑coded safe function list, ensuring that only trusted functions can be executed.

Generated by OpenCVE AI on April 22, 2026 at 17:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13997 The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to Limited Code Execution in all versions up to, and including, 8.9.1 via the get_table_records function. This is due to the unsanitized use of user-supplied input in call_user_func(). This makes it possible for authenticated attackers, with Custom-level access, to execute arbitrary PHP functions that meet specific constraints (static methods or global functions accepting a single array parameter).
History

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00079}

 epss

{'score': 0.00091}

Wed, 04 Jun 2025 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Basixonline
Basixonline nex-forms
CPEs cpe:2.3:a:basixonline:nex-forms:*:*:*:*:*:wordpress:*:*
Vendors & Products Basixonline
Basixonline nex-forms

Thu, 08 May 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 08 May 2025 11:30:00 +0000

Type Values Removed Values Added
Description The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to Limited Code Execution in all versions up to, and including, 8.9.1 via the get_table_records function. This is due to the unsanitized use of user-supplied input in call_user_func(). This makes it possible for authenticated attackers, with Custom-level access, to execute arbitrary PHP functions that meet specific constraints (static methods or global functions accepting a single array parameter).
Title NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.9.1 - Authenticated (Custom) Limited Code Execution via get_table_records Function
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Basixonline Nex-forms
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:40:34.214Z

Reserved: 2025-05-02T00:28:53.112Z

Link: CVE-2025-4208

cve-icon Vulnrichment

Updated: 2025-05-08T13:38:17.385Z

cve-icon NVD

Status : Analyzed

Published: 2025-05-08T12:15:18.217

Modified: 2025-06-04T22:58:48.523

Link: CVE-2025-4208

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:30:22Z

Weaknesses