CVE Catalog

CVE-2026-12404

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.28%

20th percentile — higher than 20% of all known CVEs

Summary

The NEX-Forms plugin for WordPress up to version 9.2.2 contains an authorization bypass vulnerability. Unauthenticated attackers can enumerate sequential report IDs and download complete form submission data, including names, email addresses, phone numbers, postal addresses, payment details, and uploaded file paths.

Risk Assessment

The risk involves potential mass leakage of sensitive personal and financial user data, which may lead to data protection regulation violations (e.g., GDPR) and loss of customer trust.

Recommendation

Immediately update the NEX-Forms plugin to the latest available version that fixes this vulnerability. If an update is not possible, temporarily disable the plugin until a patch is applied.

Original NVD description (English source)

The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 9.2.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to enumerate sequential report IDs and download complete form submission data — including names, email addresses, phone numbers, postal addresses, payment details, and uploaded file paths — for any saved report on the site.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS