{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1947", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-05T00:14:44.427Z", "datePublished": "2026-03-15T01:19:06.351Z", "dateUpdated": "2026-04-08T17:16:29.189Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:16:29.189Z"}, "affected": [{"vendor": "webaways", "product": "NEX-Forms \u2013 Ultimate Forms Plugin for WordPress", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "9.1.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The NEX-Forms \u2013 Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 9.1.9 via the submit_nex_form() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to to overwrite arbitrary form entries via the 'nf_set_entry_update_id' parameter."}], "title": "NEX-Forms \u2013 Ultimate Forms Plugin for WordPress <= 9.1.9 - Missing Authorization to Unauthenticated Arbitrary Form Entry Modification via nf_set_entry_update_id", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b2a8c307-2430-4ea9-afe0-e5e758eabdd1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3470888/nex-forms-express-wp-form-builder"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Youssef Elouaer"}], "timeline": [{"time": "2026-02-05T00:32:39.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-14T13:14:22.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-16T19:13:52.233817Z", "id": "CVE-2026-1947", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T19:14:13.133Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "NEX-Forms \u2013 Ultimate Forms Plugin for WordPress <= 9.1.9 - Missing Authorization to Unauthenticated Arbitrary Form Entry Modification via nf_set_entry_update_id", "credits": [{"lang": "en", "type": "finder", "value": "Youssef Elouaer"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}}], "affected": [{"vendor": "webaways", "product": "NEX-Forms \u2013 Ultimate Forms Plugin for WordPress", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "9.1.9"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-05T00:32:39.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-14T13:14:22.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b2a8c307-2430-4ea9-afe0-e5e758eabdd1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3470888/nex-forms-express-wp-form-builder"}], "descriptions": [{"lang": "en", "value": "The NEX-Forms \u2013 Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 9.1.9 via the submit_nex_form() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to to overwrite arbitrary form entries via the 'nf_set_entry_update_id' parameter."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-15T01:19:06.351Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1947", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T19:13:52.233817Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-16T19:14:04.654Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-1947", "state": "PUBLISHED", "dateUpdated": "2026-03-15T01:19:06.351Z", "dateReserved": "2026-02-05T00:14:44.427Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-15T01:19:06.351Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The NEX-Forms \u2013 Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 9.1.9 via the submit_nex_form() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to to overwrite arbitrary form entries via the 'nf_set_entry_update_id' parameter."}, {"lang": "es", "value": "El plugin NEX-Forms \u2013 Ultimate Forms Plugin for WordPress, un plugin de WordPress, es vulnerable a Referencia Directa Insegura a Objeto en todas las versiones hasta la 9.1.9, inclusive, a trav\u00e9s de la funci\u00f3n submit_nex_form() debido a la falta de validaci\u00f3n en una clave controlada por el usuario. Esto hace posible que atacantes no autenticados sobrescriban entradas de formulario arbitrarias a trav\u00e9s del par\u00e1metro 'nf_set_entry_update_id'."}], "id": "CVE-2026-1947", "lastModified": "2026-04-22T21:30:26.497", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-16T14:18:08.363", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3470888/nex-forms-express-wp-form-builder"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b2a8c307-2430-4ea9-afe0-e5e758eabdd1?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,9.1.9]"}}], "enrichment": {"confidence": 83.0, "confidence_source": "matching", "scores": [{"score": 83.0, "source": "matching"}]}, "original": {"product": "NEX-Forms \u2013 Ultimate Forms Plugin for WordPress", "source": "cna", "vendor": "webaways"}, "product": "nex-forms-ultimate-forms-plugin", "vendor": "webaways"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-16T23:00:25.410532+00:00", "value": {"mitigation_remediation": ["Upgrade the NEX-Forms plugin to a version that contains the fix for this vulnerability, preferably the latest release available from the vendor."], "summary": {"action": "Immediate Patch", "impact": "Data Tampering"}, "threat_synthesis": {"affected_systems": "All installations of the webaways NEX-Forms \u2013 Ultimate Forms Plugin for WordPress up to and including version 9.1.9 are affected.", "description_and_impact": "The NEX-Forms \u2013 Ultimate Forms Plugin for WordPress is vulnerable to an Insecure Direct Object Reference that allows unauthenticated attackers to overwrite arbitrary form entries by supplying the 'nf_set_entry_update_id' parameter in the form submission request. This flaw exposes a straight\u2011forward data integrity issue, enabling malicious actors to replace legitimate submission data with crafted content, potentially exposing sensitive information, altering transaction records, or tampering with user\u2011generated content. The weakness is classified as CWE\u2011639 (Authorization Bypass Through User Controlled Key).", "risk_and_exploitability": "With a CVSS score of 7.5, the vulnerability carries a high risk rating. The EPSS score is less than 1% and the issue is not listed in the CISA KEV catalog, indicating a lower current exploit probability. The likely attack vector is an unauthenticated HTTP request to the plugin\u2019s form submission endpoint, where the attacker can submit crafted form data containing the offending 'nf_set_entry_update_id' parameter to modify existing entries. Exploitation requires no special privileges and is achievable by anyone with internet access to the affected site."}}}}, "created": "2026-03-16T09:22:13.967091+00:00", "updated": "2026-03-23T13:39:01.118984+00:00", "vendors": ["webaways", "webaways$PRODUCT$nex-forms-ultimate-forms-plugin", "wordpress", "wordpress$PRODUCT$wordpress"]}