CVE-2025-15510

Name of the Vulnerable Software and Affected Versions NEX-Forms – Ultimate Forms Plugin for WordPress versions through 9.1.8

Description The software contains a flaw that allows unauthorized access to data. A missing capability check within the NF5 Export Forms class constructor permits unauthenticated attackers to export form configurations. This export may include sensitive information such as email addresses, PayPal API credentials, and third-party integration keys. Exploitation involves enumerating the nex forms Id parameter.

Recommendations Update to a version later than 9.1.8.