Authorization Bypass Vulnerability in NEX-Forms Plugin for WordPress
CVE-2026-9017
5.3MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 11 July 2026
What is CVE-2026-9017?
The NEX-Forms β Ultimate Forms Plugin for WordPress is susceptible to an authorization bypass issue due to inadequate user verification. This vulnerability allows unauthenticated attackers to manipulate key email fields such as saved_admin_email, saved_user_email, and saved_user_email_address for any form submission. As a result, attackers may manage to send harmful email content to arbitrary recipients, potentially leading to a compromised site and abuse of its communication features.
Affected Version(s)
NEX-Forms β Ultimate Forms Plugin for WordPress 0 <= 9.2.2