CVE-2026-12404
Received Received - Intake
Authorization Bypass in NEX-Forms WordPress Plugin

Publication date: 2026-06-27

Last updated on: 2026-06-27

Assigner: Wordfence

Description
The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 9.2.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to enumerate sequential report IDs and download complete form submission data β€” including names, email addresses, phone numbers, postal addresses, payment details, and uploaded file paths β€” for any saved report on the site.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-27
Last Modified
2026-06-27
Generated
2026-06-27
AI Q&A
2026-06-27
EPSS Evaluated
N/A
NVD
CVE-2026-12404
EUVD
EUVD-2026-39945
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nex-forms ultimate_forms_plugin to 9.2.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the NEX-Forms – Ultimate Forms Plugin for WordPress, affecting all versions up to and including 9.2.2. It is an authorization bypass issue caused by the plugin failing to properly verify whether a user is authorized to perform certain actions.

Because of this flaw, unauthenticated attackers can enumerate sequential report IDs and download complete form submission data from the site.

The exposed data can include sensitive information such as names, email addresses, phone numbers, postal addresses, payment details, and uploaded file paths.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive personal and payment information collected through forms on a WordPress site using the affected plugin.

Attackers can access private form submission data without authentication, potentially leading to privacy breaches, identity theft, financial fraud, and reputational damage for the site owner.

Compliance Impact

This vulnerability allows unauthenticated attackers to access and download sensitive form submission data including names, email addresses, phone numbers, postal addresses, payment details, and uploaded file paths.

Such unauthorized access to personal and payment information can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive data.

Therefore, exploitation of this vulnerability could result in violations of these standards due to improper authorization and potential data breaches.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12404. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart