CVE-2026-1948
Awaiting Analysis
Awaiting Analysis - Queue
Unauthorized License Deactivation in NEX-Forms via Missing Capability Check
Publication date: 2026-03-16
Last updated on: 2026-03-16
Assigner: Wordfence
Description
Description
The NEX-Forms β Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the deactivate_license() function in all versions up to, and including, 9.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to to deactivate the plugin license.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| webaways | nex-forms | to 9.1.9 (inc) |
| nex_forms | ultimate_forms_plugin | to 9.1.9 (inc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
