Medium severity5.3NVD Advisory· Published Jan 31, 2026· Updated Apr 15, 2026

CVE-2025-15510

Description

The NEX-Forms – Ultimate Forms Plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the NF5_Export_Forms class constructor in all versions up to, and including, 9.1.8. This makes it possible for unauthenticated attackers to export form configurations, that may include sensitive data, such as email addresses, PayPal API credentials, and third-party integration keys by enumerating the nex_forms_Id parameter.

Affected products

WordPress/Nex Forms Express Wp Form Builderinferred
Range: <=9.1.8
Package: https://wordpress.org/plugins/nex-forms-express-wp-form-builder

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/9.1.7/includes/classes/class.export.phpnvd
www.wordfence.com/threat-intel/vulnerabilities/id/ddfa5a3d-fef2-4049-915c-51c3e28153bfnvd

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000