Description
The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 9.1.9 via the submit_nex_form() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to to overwrite arbitrary form entries via the 'nf_set_entry_update_id' parameter.
Published: 2026-03-15
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Data Tampering
Action: Immediate Patch
AI Analysis

Impact

The NEX-Forms – Ultimate Forms Plugin for WordPress is vulnerable to an Insecure Direct Object Reference that allows unauthenticated attackers to overwrite arbitrary form entries by supplying the 'nf_set_entry_update_id' parameter in the form submission request. This flaw exposes a straight‑forward data integrity issue, enabling malicious actors to replace legitimate submission data with crafted content, potentially exposing sensitive information, altering transaction records, or tampering with user‑generated content. The weakness is classified as CWE‑639 (Authorization Bypass Through User Controlled Key).

Affected Systems

All installations of the webaways NEX-Forms – Ultimate Forms Plugin for WordPress up to and including version 9.1.9 are affected.

Risk and Exploitability

With a CVSS score of 7.5, the vulnerability carries a high risk rating. The EPSS score is less than 1% and the issue is not listed in the CISA KEV catalog, indicating a lower current exploit probability. The likely attack vector is an unauthenticated HTTP request to the plugin’s form submission endpoint, where the attacker can submit crafted form data containing the offending 'nf_set_entry_update_id' parameter to modify existing entries. Exploitation requires no special privileges and is achievable by anyone with internet access to the affected site.

Generated by OpenCVE AI on March 16, 2026 at 23:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the NEX-Forms plugin to a version that contains the fix for this vulnerability, preferably the latest release available from the vendor.

Generated by OpenCVE AI on March 16, 2026 at 23:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Webaways
Webaways nex-forms-ultimate-forms-plugin
Wordpress
Wordpress wordpress
Vendors & Products Webaways
Webaways nex-forms-ultimate-forms-plugin
Wordpress
Wordpress wordpress

Sun, 15 Mar 2026 01:45:00 +0000

Type Values Removed Values Added
Description The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 9.1.9 via the submit_nex_form() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to to overwrite arbitrary form entries via the 'nf_set_entry_update_id' parameter.
Title NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.9 - Missing Authorization to Unauthenticated Arbitrary Form Entry Modification via nf_set_entry_update_id
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Webaways Nex-forms-ultimate-forms-plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-03-16T19:14:13.133Z

Reserved: 2026-02-05T00:14:44.427Z

Link: CVE-2026-1947

cve-icon Vulnrichment

Updated: 2026-03-16T19:14:04.654Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-16T14:18:08.363

Modified: 2026-03-16T14:53:07.390

Link: CVE-2026-1947

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T13:39:01Z

Weaknesses