SQL Injection Vulnerability in NEX-Forms Plugin for WordPress
CVE-2025-10185

4.9MEDIUM

Key Information:

Vendor

WordPress
Status
Nex-forms – Ultimate Forms Plugin For WordPress
Vendor
CVE Published:
11 October 2025

What is CVE-2025-10185?

The NEX-Forms – Ultimate Forms Plugin for WordPress is susceptible to SQL Injection attacks due to insufficient input validation of the 'orderby' parameter within the action nf_load_form_entries. This vulnerability exists in all versions prior to 9.1.6. Authenticated users with Administrator-level access can manipulate SQL queries to extract sensitive data from the database, endangering the security of the site. Moreover, this could potentially be exploited by lower-level users if granted access by site administrators.

Affected Version(s)

NEX-Forms – Ultimate Forms Plugin for WordPress * <= 9.1.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.svn.wordpress.org/nex-forms-express-wp-fo...
https://plugins.trac.wordpress.org/changeset/3365585/nex-...

CVSS V3.1

Score:
4.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Đức Tài
JSON
.
CVE-2025-10185 : SQL Injection Vulnerability in NEX-Forms Plugin for WordPress