What the vulnerability does
01Description
The NEX-Forms – Ultimate Forms Plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the NF5_Export_Forms class constructor in all versions up to, and including, 9.1.8. This makes it possible for unauthenticated attackers to export form configurations, that may include sensitive data, such as email addresses, PayPal API credentials, and third-party integration keys by enumerating the nex_forms_Id parameter.
Explanation of Vulnerability in Simple Terms
02Summary
NEX-Forms versions 9.1.8 and earlier lack proper authorization checks, allowing unauthenticated attackers to read sensitive form data. An attacker can access form submissions and other protected information without logging in or providing credentials. Site owners should update to a version newer than 9.1.8 immediately.
What an attacker can do
03Attacker Capabilities
Read form submissions and other sensitive data without logging in.
Potential impact on your site
04Site Impact
Form data (submissions, user information) may be exposed to anyone on the internet.
Conditions required to exploit
05Prerequisites
Network access to the WordPress site; no authentication or user interaction required.
Key dates
06Disclosure timeline
January 31, 2026
CVE published
April 8, 2026
Record updated
