CVE-2025-4208 MEDIUM

CVE-2025-4208: NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.9.1 - Authenticated (Custom) Limited Code Execution via get_table_records Function

Vendor Webaways
Product NEX-Forms – Ultimate Forms Plugin for WordPress
Weakness CWE-94 · Code injection
Published May 8, 2025
Last update April 8, 2026

CVSS base score

6.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to Limited Code Execution in all versions up to, and including, 8.9.1 via the get_table_records function. This is due to the unsanitized use of user-supplied input in call_user_func(). This makes it possible for authenticated attackers, with Custom-level access, to execute arbitrary PHP functions that meet specific constraints (static methods or global functions accepting a single array parameter).

Explanation of Vulnerability in Simple Terms

02Summary

NEX-Forms allows authenticated users to inject and execute arbitrary PHP code through form input fields. An attacker with a low-privilege account can craft malicious form submissions that execute code on the server. This affects all versions up to 8.9.1. Site owners should update immediately to a version newer than 8.9.1.

What an attacker can do

03Attacker Capabilities

Execute arbitrary PHP code on the server by submitting specially crafted form data.

Potential impact on your site

04Site Impact

An attacker with basic site access can run malicious code, potentially compromising the entire WordPress installation and hosted data.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account (e.g., subscriber or contributor role) on the WordPress site.

Key dates

06Disclosure timeline

May 8, 2025 CVE published
April 8, 2026 Record updated