CVE-2025-10185
Description
The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in the action nf_load_form_entries in all versions up to, and including, 9.1.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This may be exploitable by lower-level users if access is granted by a site administrator.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in NEX-Forms WordPress plugin via 'orderby' parameter allows authenticated admins to extract database info.
Vulnerability
The NEX-Forms plugin for WordPress is vulnerable to SQL injection in all versions up to 9.1.6 via the 'orderby' parameter in the nf_load_form_entries action. The issue stems from insufficient escaping on the user-supplied parameter and lack of prepared statements in the SQL query, allowing attackers to inject malicious SQL.
Exploitation
Exploitation requires authentication with Administrator-level access. However, lower-level users may exploit this if a site administrator grants them access to the affected functionality. The attacker provides a crafted 'orderby' parameter that alters the SQL query's structure, enabling the injection of additional SQL commands.
Impact
An authenticated attacker with sufficient privileges can append SQL queries to existing ones, potentially extracting sensitive information from the WordPress database, such as user credentials or private data. This can lead to further compromise of the site.
Mitigation
As of the publication date, no patch has been released; all versions up to 9.1.6 are affected. Site administrators should limit access to the plugin's functionality and consider disabling the plugin until a fix is available. The vulnerability has not been added to the CISA Known Exploited Vulnerabilities catalog.
References: [1] Plugin source code showing the vulnerable SQL query construction.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=9.1.6
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- plugins.svn.wordpress.org/nex-forms-express-wp-form-builder/tags/9.1.4/includes/classes/class.db.phpnvd
- plugins.trac.wordpress.org/changeset/3365585/nex-forms-express-wp-form-builder/trunk/includes/classes/class.db.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/e68d47e7-9a42-4a77-aefa-fe130500cbd3nvd
News mentions
0No linked articles in our index yet.