cleantalk
Vulnerabilities and Security Researches

NEX-Forms – Ultimate Form Builder – Contact forms and much more, CVE-2025-4208

CVE, Research URL

CVE-2025-4208

Home page URL

Security reports for NEX-Forms – Ultimate Form Builder – Contact forms and much more

Application

NEX-Forms – Ultimate Form Builder – Contact forms and much more

Published on
May 08, 2025
Research Description
The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to Limited Code Execution in all versions up to, and including, 8.9.1 via the get_table_records function. This is due to the unsanitized use of user-supplied input in call_user_func(). This makes it possible for authenticated attackers, with Custom-level access, to execute arbitrary PHP functions that meet specific constraints (static methods or global functions accepting a single array parameter).
Affected versions
Min -, max 8.9.2.
Status
vulnerable
Previous vulnerability researches
Bold Page Builder (CVE-2022-2089) , Jun 06, 2024
Bold Page Builder (CVE-2023-49823) , Jun 06, 2024
Bold Page Builder (CVE-2024-3266) , Jun 06, 2024
Bold Page Builder (CVE-2019-15821) , Jun 06, 2024
Bold Page Builder (CVE-2024-1159) , Jun 06, 2024
New vulnerability
Top 10 – WordPress Popular posts by WebberZone (CVE-2025-47509) , May 09, 2025
Easy Replace Image (CVE-2025-47483) , May 09, 2025
Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress (CVE-2025-47520) , May 09, 2025
GamiPress – The #1 gamification plugin to reward points, achievements, badges & ranks in WordPress (CVE-2025-47508) , May 09, 2025
Simple calendar for Elementor (CVE-2025-47542) , May 09, 2025