CVE-2026-8692

Name of the Vulnerable Software and Affected Versions Vedrixa Forms – User Registration Form, Signup Form & Drag & Drop Form Builder versions prior to 1.1.2

Description An authorization bypass exists because the plugin fails to properly verify if a user is authorized to perform specific actions. Authenticated attackers with subscriber-level access or higher can overwrite the structure of any form by adding, removing, or altering fields. This is achieved by writing attacker-controlled data to the FORMS database table. The ajax-nonce nonce used by the handler is exposed on the public frontend via wp localize script(), allowing any authenticated user visiting a page with a form shortcode to obtain it.

Recommendations Update to a version later than 1.1.1.