Description
The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 9.2.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to enumerate sequential report IDs and download complete form submission data — including names, email addresses, phone numbers, postal addresses, payment details, and uploaded file paths — for any saved report on the site.
Published: 2026-06-27
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The plugin contains an authorization bypass that occurs when the CSVExport class does not verify a user’s privilege before exporting report data. An unauthenticated attacker can therefore enumerate sequential report IDs and download complete form submission information, including names, email addresses, phone numbers, postal addresses, payment details, and uploaded file paths. This results in a confidentiality breach that matches CWE‑862, missing authorization.

Affected Systems

The NEX‑Forms Ultimate Forms Plugin for WordPress, versions up to and including 9.2.2, is vulnerable. The vendor, Webaways, has not released a fixed version in the range mentioned, so all installations of these versions on any WordPress site are at risk.

Risk and Exploitability

The CVSS score of 5.3 indicates medium severity. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known exploits. The attack vector is inferred to be remote via standard HTTP requests to the plugin’s export endpoint, which does not enforce authentication. Exploitation is straightforward: an attacker submits requests with sequential report identifiers until valid submissions are retrieved, exposing sensitive personal data.

Generated by OpenCVE AI on June 27, 2026 at 07:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the NEX‑Forms plugin to the latest version (greater than 9.2.2) to eliminate the authorization bypass.
  • If an immediate upgrade is not possible, restrict unauthenticated access to the CSVExport endpoint by disabling the plugin or applying firewall rules to block export URLs.
  • Ensure that WordPress roles and capabilities are configured so that only users with appropriate permissions can access plugin operations, and verify that the export functionality respects these roles.

Generated by OpenCVE AI on June 27, 2026 at 07:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 27 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
Description The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 9.2.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to enumerate sequential report IDs and download complete form submission data — including names, email addresses, phone numbers, postal addresses, payment details, and uploaded file paths — for any saved report on the site.
Title NEX-Forms <= 9.2.2 - Missing Authorization to Unauthenticated Sensitive Information Disclosure via CSVExport Class
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-27T05:33:44.309Z

Reserved: 2026-06-16T13:40:57.176Z

Link: CVE-2026-12404

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T07:30:13Z

Weaknesses