{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1948", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-05T00:32:13.409Z", "datePublished": "2026-03-14T03:24:14.344Z", "dateUpdated": "2026-04-08T16:41:58.456Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:41:58.456Z"}, "affected": [{"vendor": "webaways", "product": "NEX-Forms \u2013 Ultimate Forms Plugin for WordPress", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "9.1.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The NEX-Forms \u2013 Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the deactivate_license() function in all versions up to, and including, 9.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to to deactivate the plugin license."}], "title": "NEX-Forms \u2013 Ultimate Forms Plugin for WordPress <= 9.1.9 - Missing Authorization to Authenticated (Subscriber+) License Deactivation via deactivate_license", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/23b21dbd-caf7-49fc-bed4-4017151ee4ad?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3470888/nex-forms-express-wp-form-builder"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "timeline": [{"time": "2026-02-05T00:47:32.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-13T15:17:36.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1948", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T20:09:38.804253Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T20:22:43.149Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1948", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T20:09:38.804253Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T20:20:35.423Z"}}], "cna": {"title": "NEX-Forms \u2013 Ultimate Forms Plugin for WordPress <= 9.1.9 - Missing Authorization to Authenticated (Subscriber+) License Deactivation via deactivate_license", "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "webaways", "product": "NEX-Forms \u2013 Ultimate Forms Plugin for WordPress", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "9.1.9"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-05T00:47:32.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-13T15:17:36.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/23b21dbd-caf7-49fc-bed4-4017151ee4ad?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3470888/nex-forms-express-wp-form-builder"}], "descriptions": [{"lang": "en", "value": "The NEX-Forms \u2013 Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the deactivate_license() function in all versions up to, and including, 9.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to to deactivate the plugin license."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-14T03:24:14.344Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1948", "state": "PUBLISHED", "dateUpdated": "2026-03-16T20:22:43.149Z", "dateReserved": "2026-02-05T00:32:13.409Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-14T03:24:14.344Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The NEX-Forms \u2013 Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the deactivate_license() function in all versions up to, and including, 9.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to to deactivate the plugin license."}, {"lang": "es", "value": "El plugin NEX-Forms \u2013 Ultimate Forms Plugin for WordPress para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a una falta de verificaci\u00f3n de capacidad en la funci\u00f3n deactivate_license() en todas las versiones hasta la 9.1.9, inclusive. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, desactiven la licencia del plugin."}], "id": "CVE-2026-1948", "lastModified": "2026-04-22T21:30:26.497", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-16T14:18:08.530", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3470888/nex-forms-express-wp-form-builder"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/23b21dbd-caf7-49fc-bed4-4017151ee4ad?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,9.1.9]"}}], "enrichment": {"confidence": 83.0, "confidence_source": "matching", "scores": [{"score": 83.0, "source": "matching"}]}, "original": {"product": "NEX-Forms \u2013 Ultimate Forms Plugin for WordPress", "source": "cna", "vendor": "webaways"}, "product": "nex-forms-ultimate-forms-plugin", "vendor": "webaways"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-16T23:01:41.492949+00:00", "value": {"mitigation_remediation": ["Update the NEX-Forms plugin to a version newer than 9.1.9.", "Verify that there are no unauthorized users with Subscriber or higher roles, or reduce their privileges if possible.", "Confirm that the plugin\u2019s license deactivation controls now require higher\u2011privilege access.", "Monitor site logs for unexpected license deactivation events to detect any abuse."], "summary": {"action": "Apply Patch", "impact": "License Deactivation / Service Disruption"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the webaways NEX-Forms \u2013 Ultimate Forms Plugin for WordPress, in all versions up to and including 9.1.9. No specific sub\u2011versions are listed beyond this upper bound.", "description_and_impact": "The NEX-Forms \u2013 Ultimate Forms Plugin for WordPress is vulnerable because the deactivate_license() function lacks a capability check. This flaw allows any authenticated user with Subscriber-level access or higher to deactivate the plugin license. As a result, the plugin becomes inoperative, causing loss of form functionality and potential disruption of business processes that depend on it. The weakness is classified as CWE-862 (Missing Authorization).", "risk_and_exploitability": "The CVSS score is 4.3, indicating low-to-moderate severity, and the EPSS score is less than 1%, suggesting a low probability of exploitation. The flaw is not present in CISA\u2019s Known Exploited Vulnerabilities catalog. Because the issue requires an authenticated account with at least Subscriber permissions, any site that has such users is at risk of accidental or malicious license deactivation, but the damage is confined to service disruption rather than data loss or compromise."}}}}, "created": "2026-03-16T09:22:25.237742+00:00", "updated": "2026-03-23T13:39:08.970937+00:00", "vendors": ["webaways", "webaways$PRODUCT$nex-forms-ultimate-forms-plugin", "wordpress", "wordpress$PRODUCT$wordpress"]}