SQL Injection Vulnerability in NEX-Forms Plugin for WordPress
CVE-2025-10185

4.9MEDIUM

Key Information:

Vendor: WordPress
Status: Nex-forms – Ultimate Forms Plugin For WordPress
Vendor: CVE Published:; 11 October 2025

What is CVE-2025-10185?

The NEX-Forms – Ultimate Forms Plugin for WordPress is susceptible to SQL Injection attacks due to insufficient input validation of the 'orderby' parameter within the action nf_load_form_entries. This vulnerability exists in all versions prior to 9.1.6. Authenticated users with Administrator-level access can manipulate SQL queries to extract sensitive data from the database, endangering the security of the site. Moreover, this could potentially be exploited by lower-level users if granted access by site administrators.

Affected Version(s)

NEX-Forms – Ultimate Forms Plugin for WordPress * <= 9.1.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.svn.wordpress.org/nex-forms-express-wp-fo...

https://plugins.trac.wordpress.org/changeset/3365585/nex-...

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 11, 2025
Vulnerability Reserved
Sep 9, 2025

Credit

Đức Tài

JSON