Authorization Bypass in Vedrixa Forms Plugin for WordPress
CVE-2026-8692

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Vedrixa Forms – User Registration Form, Signup Form & Drag & Drop Form Builder
Vendor: CVE Published:; 22 May 2026

What is CVE-2026-8692?

The Vedrixa Forms plugin for WordPress has a significant authorization bypass vulnerability affecting all versions up to 1.1.1. This occurs because the plugin fails to adequately verify user permissions, allowing authenticated users with a minimum of subscriber access to modify form structures. Attackers can inject controlled data into the plugin's FORMS database table, enabling them to add, remove, or alter fields in any form. The vulnerability arises from the 'ajax-nonce' nonce being publicly accessible via wp_localize_script(), which can be exploited by any authenticated user visiting a form page, posing a risk to site administrators and other users.

Affected Version(s)

Vedrixa Forms – User Registration Form, Signup Form & Drag & Drop Form Builder 0 <= 1.1.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/vedrixa-forms-...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 22, 2026
Vulnerability Reserved
May 15, 2026

Credit

Thanh Toan Bui

CVE-2026-8692 Data

JSON