Primary

Context

NEX-Forms WordPress Plugin Insecure Direct Object Reference Vulnerability Allowing Unauthenticated Arbitrary Form Entry Modification

Vulnerability

Patched

A vulnerability exists in the NEX-Forms – Ultimate Forms Plugin for WordPress, in all versions through 9.1.9. The issue is an Insecure Direct Object Reference (IDOR) that allows unauthenticated users to overwrite arbitrary form entries. This vulnerability arises from the submit_nex_form() function, which lacks proper validation on a user-controlled key. Exploitation is possible through the 'nf_set_entry_update_id' parameter.

Impact

Exploitation of this vulnerability allows for unauthorized modification of form entries, potentially leading to data integrity issues.

Remediation

Users are advised to update the NEX-Forms – Ultimate Forms Plugin for WordPress to version 9.1.10 or a newer patched version.

Added: Mar 16, 2026, 2:31 PM

Updated: Mar 16, 2026, 2:31 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

7.5

remediation

7.7

relevance

4.0

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

7.5

remediation

7.7

relevance

4.0

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

NEX-Forms WordPress Plugin Insecure Direct Object Reference Vulnerability Allowing Unauthenticated Arbitrary Form Entry Modification

Vulnerability

Impact

Remediation

Affected Products

NEX-Forms – Ultimate Forms

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating