Volerion logoVolerion
Volerion logoVolerion

NEX-Forms WordPress Plugin SQL Injection Vulnerability for Authenticated Administrators

Vulnerability

A time-based blind SQL injection vulnerability has been identified in the NEX-Forms – Ultimate Forms Plugin for WordPress, affecting all versions through 9.1.12. The vulnerability arises from inadequate escaping of user-supplied data in the 'table' parameter, coupled with insufficient preparation of the SQL query. This flaw allows authenticated attackers with administrator-level access to inject additional SQL commands into existing queries, potentially leading to the extraction of sensitive information from the database.

Impact

Exploitation of this vulnerability allows for time-based blind SQL injection, where an attacker can manipulate SQL queries to extract data from the database. In this case, the vulnerability could be used to access sensitive information.

Remediation

Users are advised to update the NEX-Forms – Ultimate Forms Plugin for WordPress to version 9.1.13 or a newer patched version.

Added: May 15, 2026, 12:50 PM
Updated: May 15, 2026, 12:50 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
3.1
exploitability
5.5
remediation
0.0
relevance
8.4
threat
3.2
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.