The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 9.2.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to enumerate sequential report IDs and download complete form submission data — including names, email addresses, phone numbers, postal addresses, payment details, and uploaded file paths — for any saved report on the site.
Metrics
Affected Vendors & Products
References
History
Mon, 29 Jun 2026 19:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Webaways
Webaways nex-forms-ultimate-forms-plugin Wordpress Wordpress wordpress |
|
| Vendors & Products |
Webaways
Webaways nex-forms-ultimate-forms-plugin Wordpress Wordpress wordpress |
Mon, 29 Jun 2026 19:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Sat, 27 Jun 2026 06:15:00 +0000
Status: PUBLISHED
Assigner: Wordfence
Published: 2026-06-27T05:33:44.309Z
Updated: 2026-06-29T18:50:07.884Z
Reserved: 2026-06-16T13:40:57.176Z
Link: CVE-2026-12404
Updated: 2026-06-29T18:50:02.972Z
No data.
No data.