PT-2026-41277 · WordPress · Nex-Forms

Athul Jayaram

·

Published

2026-05-15

·

Updated

2026-05-15

·

CVE-2026-7046

CVSS v3.1

4.9

Medium

VectorAV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions NEX-Forms – Ultimate Forms Plugin for WordPress versions prior to 9.1.13
Description Insufficient escaping of user-supplied parameters and lack of proper preparation in SQL queries allow authenticated attackers with administrator-level access or higher to perform time-based blind SQL Injection. This occurs via the table parameter, enabling the addition of malicious SQL queries to extract sensitive information from the database.
Recommendations Update to a version later than 9.1.12. As a temporary workaround, restrict access to the table parameter to minimize the risk of exploitation.

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-7046

Affected Products

Nex-Forms