WordPress · Vedrixa Forms · CVE-2026-8692
**Name of the Vulnerable Software and Affected Versions**
Vedrixa Forms – User Registration Form, Signup Form & Drag & Drop Form Builder versions prior to 1.1.2
**Description**
An authorization bypass exists because the plugin fails to properly verify if a user is authorized to perform specific actions. Authenticated attackers with subscriber-level access or higher can overwrite the structure of any form by adding, removing, or altering fields. This is achieved by writing attacker-controlled data to the FORMS database table. The `ajax-nonce` nonce used by the handler is exposed on the public frontend via `wp localize script()`, allowing any authenticated user visiting a page with a form shortcode to obtain it.
**Recommendations**
Update to a version later than 1.1.1.