What the vulnerability does
01Description
The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to Limited Code Execution in all versions up to, and including, 8.9.1 via the get_table_records function. This is due to the unsanitized use of user-supplied input in call_user_func(). This makes it possible for authenticated attackers, with Custom-level access, to execute arbitrary PHP functions that meet specific constraints (static methods or global functions accepting a single array parameter).
Explanation of Vulnerability in Simple Terms
02Summary
NEX-Forms allows authenticated users to inject and execute arbitrary PHP code through form input fields. An attacker with a low-privilege account can craft malicious form submissions that execute code on the server. This affects all versions up to 8.9.1. Site owners should update immediately to a version newer than 8.9.1.
What an attacker can do
03Attacker Capabilities
Execute arbitrary PHP code on the server by submitting specially crafted form data.
Potential impact on your site
04Site Impact
An attacker with basic site access can run malicious code, potentially compromising the entire WordPress installation and hosted data.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege user account (e.g., subscriber or contributor role) on the WordPress site.
Key dates
06Disclosure timeline
May 8, 2025
CVE published
April 8, 2026
Record updated