The vulnerability in Basix NEX-Forms allows Cross‑Site Request Forgery through the nex-forms-express-wp-form-builder plugin. If an attacker can craft a request that a victim’s browser submits while authenticated, the victim may unknowingly trigger actions such as submitting forms or changing data, leading to unauthorized data manipulation or potential escalation. This weakness is a classic example of CWE‑352, which targets the lack of proper request validation and poses a high risk to data integrity and confidentiality.

WordPress sites that use the Basix NEX‑Forms plugin up to and including version 9.1.3 are affected. Site administrators should verify the exact plugin version installed and note that any instance of this plugin before the release of version 9.1.4 is vulnerable.

With a CVSS score of 8.8 the vulnerability is considered high severity, but the EPSS score is less than 1%, indicating a low probability of exploitation at present. The vulnerability is not listed in CISA’s KEV catalog, so there is no confirmed exploitation activity reported. Because CSRF attacks require the victim to be authenticated to the target site, an attacker typically embeds malicious links or forms in a third‑party page to coerce the victim’s browser into executing the request. Although exploitation odds are currently low, the potential impact justifies immediate attention.