Description
The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the deactivate_license() function in all versions up to, and including, 9.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to to deactivate the plugin license.
Published: 2026-03-14
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: License Deactivation / Service Disruption
Action: Apply Patch
AI Analysis

Impact

The NEX-Forms – Ultimate Forms Plugin for WordPress is vulnerable because the deactivate_license() function lacks a capability check. This flaw allows any authenticated user with Subscriber-level access or higher to deactivate the plugin license. As a result, the plugin becomes inoperative, causing loss of form functionality and potential disruption of business processes that depend on it. The weakness is classified as CWE-862 (Missing Authorization).

Affected Systems

The vulnerability affects the webaways NEX-Forms – Ultimate Forms Plugin for WordPress, in all versions up to and including 9.1.9. No specific sub‑versions are listed beyond this upper bound.

Risk and Exploitability

The CVSS score is 4.3, indicating low-to-moderate severity, and the EPSS score is less than 1%, suggesting a low probability of exploitation. The flaw is not present in CISA’s Known Exploited Vulnerabilities catalog. Because the issue requires an authenticated account with at least Subscriber permissions, any site that has such users is at risk of accidental or malicious license deactivation, but the damage is confined to service disruption rather than data loss or compromise.

Generated by OpenCVE AI on March 16, 2026 at 23:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the NEX-Forms plugin to a version newer than 9.1.9.
  • Verify that there are no unauthorized users with Subscriber or higher roles, or reduce their privileges if possible.
  • Confirm that the plugin’s license deactivation controls now require higher‑privilege access.
  • Monitor site logs for unexpected license deactivation events to detect any abuse.

Generated by OpenCVE AI on March 16, 2026 at 23:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Webaways
Webaways nex-forms-ultimate-forms-plugin
Wordpress
Wordpress wordpress
Vendors & Products Webaways
Webaways nex-forms-ultimate-forms-plugin
Wordpress
Wordpress wordpress

Sat, 14 Mar 2026 04:00:00 +0000

Type Values Removed Values Added
Description The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the deactivate_license() function in all versions up to, and including, 9.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to to deactivate the plugin license.
Title NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.9 - Missing Authorization to Authenticated (Subscriber+) License Deactivation via deactivate_license
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Webaways Nex-forms-ultimate-forms-plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-03-16T20:22:43.149Z

Reserved: 2026-02-05T00:32:13.409Z

Link: CVE-2026-1948

cve-icon Vulnrichment

Updated: 2026-03-16T20:20:35.423Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-16T14:18:08.530

Modified: 2026-03-16T14:53:07.390

Link: CVE-2026-1948

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T13:39:08Z

Weaknesses