CVE-2026-8692

216.73.216.233

· Published 22/05/2026 09:16 · Modified 22/05/2026 09:16

Labels: CVE-2026-8692 2026-05-22 CVE-2026-8692 CWE-862 [email protected]

Essential information

Published: 22/05/2026 09:16
Modified: 22/05/2026 09:16
Author: —
Creator: —
CVSS: 4.3 MEDIUM (v3.1)
CISA KEV: No
CWE: —
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CVSS metrics

Description

The Vedrixa Forms – User Registration Form, Signup Form & Drag & Drop Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to overwrite the structure of any form — adding, removing, or altering fields — by writing attacker-controlled data to the plugin's FORMS database table. The 'ajax-nonce' nonce used by this handler is injected into the public frontend via wp_localize_script(), so any authenticated user who visits a page containing a form shortcode can obtain it without any elevated access.

NVD status

Status: Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
vedrixa / forms	`cpe:2.3:a:vedrixa:forms:1.1.1:::::wordpress::`
vedrixa / forms	`cpe:2.3:a:vedrixa:forms::::::wordpress::*`