CVE-2026-1947
Awaiting Analysis Awaiting Analysis - Queue
Insecure Direct Object Reference in NEX-Forms Plugin Allows Entry Overwrite

Publication date: 2026-03-16

Last updated on: 2026-03-16

Assigner: Wordfence

Description
The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 9.1.9 via the submit_nex_form() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to to overwrite arbitrary form entries via the 'nf_set_entry_update_id' parameter.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-03-16
Generated
2026-06-16
AI Q&A
2026-03-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1947
EUVD
EUVD-2026-12200
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nex_forms ultimate_forms_plugin to 9.1.9 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the NEX-Forms – Ultimate Forms Plugin for WordPress, specifically in all versions up to and including 9.1.9. It is an Insecure Direct Object Reference (IDOR) issue found in the submit_nex_form() function. The problem arises because the plugin does not properly validate a user-controlled key, allowing unauthenticated attackers to overwrite arbitrary form entries by manipulating the 'nf_set_entry_update_id' parameter.

Impact Analysis

This vulnerability can allow unauthenticated attackers to overwrite arbitrary form entries within the plugin. This means attackers could potentially alter submitted data without authorization, leading to data integrity issues. Although it does not impact confidentiality or availability, the integrity of form data can be compromised, which could affect the reliability of information collected through the forms.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1947. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart