CVE-2026-8692 MEDIUM

CVE-2026-8692: Vedrixa Forms <= 1.1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Form Structure Modification via wefb_save_form_structure AJAX Action

Vendor Registrationformbuilder
Product Vedrixa Forms – User Registration Form, Signup Form & Drag & Drop Form Builder
Weakness CWE-862 · Missing authorization
Published May 22, 2026
Last update May 22, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Vedrixa Forms – User Registration Form, Signup Form & Drag & Drop Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to overwrite the structure of any form — adding, removing, or altering fields — by writing attacker-controlled data to the plugin's FORMS database table. The 'ajax-nonce' nonce used by this handler is injected into the public frontend via wp_localize_script(), so any authenticated user who visits a page containing a form shortcode can obtain it without any elevated access.

Explanation of Vulnerability in Simple Terms

02Summary

Vedrixa Forms versions 1.1.1 and earlier lack proper authorization checks, allowing authenticated users to modify form data they should not have access to. An attacker with a low-privilege account can alter form submissions or settings belonging to other users. The vulnerability requires login credentials but does not require user interaction beyond normal form submission.

What an attacker can do

03Attacker Capabilities

Modify form data or settings belonging to other users on the site.

Potential impact on your site

04Site Impact

User-submitted form data and form configurations can be altered by unauthorized users with site accounts.

Conditions required to exploit

05Prerequisites

Attacker must have a valid low-privilege user account on the site.

Key dates

06Disclosure timeline

May 22, 2026 CVE published
May 22, 2026 Record updated

Related vulnerabilities

08Related CVE