Medium severity5.3NVD Advisory· Published Mar 12, 2025· Updated Apr 15, 2026

CVE-2024-13498

Description

The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 8.8.1 via file uploads due to insufficient directory listing prevention and lack of randomization of file names. This makes it possible for unauthenticated attackers to extract sensitive data including files uploaded via a form.

Affected products

WordPress/Nex Forms Express Wp Form Builderinferred
Range: <=8.8.1
Package: https://wordpress.org/plugins/nex-forms-express-wp-form-builder

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/changeset/3235420/nex-forms-express-wp-form-buildernvd
www.wordfence.com/threat-intel/vulnerabilities/id/f188a5e6-699e-4e1a-b4e4-7fb4056b0beenvd

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000