CVE-2025-15510
Unauthorized Data Export in NEX-Forms WordPress Plugin
Publication date: 2026-01-31
Last updated on: 2026-01-31
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | nex-forms | to 9.1.8 (inc) |
| unknown_vendor | nex-forms_express | 9.1.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-15510 is a vulnerability in the Nex-Forms β Ultimate Forms Plugin for WordPress where unauthorized users can export form configurations without proper permission checks. This happens because the plugin's NF5_Export_Forms class constructor lacks a capability check, allowing unauthenticated attackers to access sensitive data such as email addresses, PayPal API credentials, and third-party integration keys by manipulating the nex_forms_Id parameter. The vulnerability involves improper input sanitization, direct database queries with insufficient sanitization, and outputting data without proper escaping, which can lead to SQL injection, Cross-Site Scripting (XSS), and HTTP header injection risks. [2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthenticated attackers to access and export sensitive form data stored in your WordPress site, including email addresses, PayPal API credentials, and third-party integration keys. This unauthorized data access can lead to data breaches, compromise of payment systems, and potential further exploitation through SQL injection, XSS, or HTTP header injection attacks, putting your site's security and user data at risk. [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability can negatively affect compliance with standards like GDPR and HIPAA because it allows unauthorized access to sensitive personal and payment data. Such unauthorized data exposure violates data protection requirements, potentially leading to non-compliance with regulations that mandate strict controls over access to personal and sensitive information. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP requests for attempts to access the export functionality without authentication. Specifically, look for requests containing the parameters 'export_form' and 'nex_forms_Id' targeting the Nex-Forms plugin endpoints. A simple detection command using curl could be: curl -v 'http://yourwordpresssite.com/wp-admin/admin-ajax.php?export_form=1&nex_forms_Id=1' to see if form data is exported without authentication. Additionally, network intrusion detection systems (NIDS) can be configured to alert on such parameter patterns in HTTP requests. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Updating the Nex-Forms plugin to a version later than 9.1.8 where the vulnerability is fixed. 2) If an update is not immediately possible, restrict access to the export functionality by limiting access to authenticated users only, for example by applying web application firewall (WAF) rules or restricting access to the relevant admin endpoints. 3) Monitor and block suspicious requests containing 'export_form' and 'nex_forms_Id' parameters. 4) Review and harden input sanitization and output escaping in the plugin code if custom patches are applied. [2]