Authorization Bypass Vulnerability in NEX-Forms Plugin for WordPress
CVE-2026-9017

5.3MEDIUM

What is CVE-2026-9017?

The NEX-Forms – Ultimate Forms Plugin for WordPress is susceptible to an authorization bypass issue due to inadequate user verification. This vulnerability allows unauthenticated attackers to manipulate key email fields such as saved_admin_email, saved_user_email, and saved_user_email_address for any form submission. As a result, attackers may manage to send harmful email content to arbitrary recipients, potentially leading to a compromised site and abuse of its communication features.

Affected Version(s)

NEX-Forms – Ultimate Forms Plugin for WordPress 0 <= 9.2.2

References

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Michael Iden (Mickhat)
.