SQL Injection Vulnerability in NEX-Forms – Ultimate Forms Plugin for WordPress
CVE-2026-7046

4.9MEDIUM

Key Information:

Vendor: WordPress
Status: Nex-forms – Ultimate Forms Plugin For WordPress
Vendor: CVE Published:; 15 May 2026

What is CVE-2026-7046?

The NEX-Forms – Ultimate Forms Plugin for WordPress contains a vulnerability that allows authenticated attackers with administrator-level access to perform time-based blind SQL injection through the 'table' parameter. This occurs due to insufficient input escaping and inadequate SQL query preparation, enabling attackers to inject additional SQL queries into existing ones. Consequently, this vulnerability poses a risk of sensitive data exposure from the underlying database.

Affected Version(s)

NEX-Forms – Ultimate Forms Plugin for WordPress 0 <= 9.1.12

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/nex-forms-expr...

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 15, 2026
Vulnerability Reserved
Apr 25, 2026

Credit

Athul Jayaram

CVE-2026-7046 Data

JSON