CVE-2025-4208

Name of the Vulnerable Software and Affected Versions NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress versions up to, and including, 8.9.1

Description The issue is related to Limited Code Execution due to the unsanitized use of user-supplied input in the call user func() function, specifically via the get table records function. This allows authenticated attackers with Custom-level access to execute arbitrary PHP functions that meet specific constraints, such as static methods or global functions accepting a single array parameter.

Recommendations For versions up to, and including, 8.9.1, consider disabling the get table records function or restricting access to it until a patch is available. Additionally, limiting the use of the call user func() function with user-supplied input can help mitigate the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.