Description
The Vedrixa Forms – User Registration Form, Signup Form & Drag & Drop Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to overwrite the structure of any form — adding, removing, or altering fields — by writing attacker-controlled data to the plugin's FORMS database table. The 'ajax-nonce' nonce used by this handler is injected into the public frontend via wp_localize_script(), so any authenticated user who visits a page containing a form shortcode can obtain it without any elevated access.
Published: 2026-05-22
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Vedrixa Forms plugin for WordPress contains an authorization bypass that allows any authenticated user with subscriber-level access or higher to overwrite the structure of any form. By sending the wefb_save_form_structure AJAX request, an attacker can inject attacker-controlled data into the plugin’s FORMS database table, adding, removing, or altering fields. This flaw violates proper access control (CWE-862) and compromises the integrity of the form definitions.

Affected Systems

WordPress sites using the Vedrixa Forms – User Registration Form, Signup Form & Drag & Drop Form Builder plugin, version 1.1.1 or earlier. The vulnerability exists in all releases up to and including 1.1.1; newer versions are not mentioned in the advisory.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate impact, with the primary risk being integrity loss through unauthorized form modification. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack requires the attacker to be authenticated with at least subscriber-level privileges; the authorization check is missing, so the exploit can be performed by any logged‑in user who can load a page containing a form shortcode, as the ajax-nonce is injected into the public frontend via wp_localize_script() and can be retrieved freely. Based on the provided description, the most likely attack vector is local through the authenticated user context.

Generated by OpenCVE AI on May 22, 2026 at 09:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Vedrixa Forms plugin to the latest patched version or a version newer than 1.1.1
  • Restrict the form builder’s AJAX endpoint to administrators or privileged roles by adding an explicit capability check before processing the request
  • Audit and monitor the FORMS database table for unauthorized changes and review user activity logs for suspicious form modifications

Generated by OpenCVE AI on May 22, 2026 at 09:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Registrationformbuilder
Registrationformbuilder vedrixa Forms – User Registration Form, Signup Form & Drag & Drop Form Builder
Wordpress
Wordpress wordpress
Vendors & Products Registrationformbuilder
Registrationformbuilder vedrixa Forms – User Registration Form, Signup Form & Drag & Drop Form Builder
Wordpress
Wordpress wordpress

Fri, 22 May 2026 08:45:00 +0000

Type Values Removed Values Added
Description The Vedrixa Forms – User Registration Form, Signup Form & Drag & Drop Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to overwrite the structure of any form — adding, removing, or altering fields — by writing attacker-controlled data to the plugin's FORMS database table. The 'ajax-nonce' nonce used by this handler is injected into the public frontend via wp_localize_script(), so any authenticated user who visits a page containing a form shortcode can obtain it without any elevated access.
Title Vedrixa Forms <= 1.1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Form Structure Modification via wefb_save_form_structure AJAX Action
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Registrationformbuilder Vedrixa Forms – User Registration Form, Signup Form & Drag & Drop Form Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-22T12:35:18.579Z

Reserved: 2026-05-15T14:57:40.904Z

Link: CVE-2026-8692

cve-icon Vulnrichment

Updated: 2026-05-22T12:35:14.870Z

cve-icon NVD

Status : Received

Published: 2026-05-22T09:16:33.183

Modified: 2026-05-22T09:16:33.183

Link: CVE-2026-8692

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T12:37:55Z

Weaknesses